Hackers leverage behavioral science to trick us.
Social engineering is the art of manipulation. It relies on humans' natural tendencies and biases to achieve its goals. By understanding how these weapons of influence work, we can arm ourselves against them.
We'll look at behavioral science to understand why people are susceptible to these weapons of influence, and we'll discuss ways to protect your teams from phishing attacks and other social engineering scams.
Weapons of influence are key to successful social engineering. Successful hackers understand these weapons and use them to exploit human behavior and manipulate their victims. For example, take the case of phishing scams, which use weapons of influence like authority and urgency to trick people into giving up sensitive information. By impersonating a credible source, scammers can convince their victims that they are trustworthy, and a hack is just a malicious link click away.
When we perceive someone or some organization as an authority, we're more likely to trust communications from them. Unfortunately, this makes us prime targets for phishing attacks. Phishers exploit our trust in authoritative brands by impersonating a known, trusted organization via email. They use social engineering techniques to trick us into clicking on a malicious link or downloading malware.
The issue usually isn't the victim's lack of knowledge. In fact, most employees know that they could be hacked from a phishing email. The hack works because the scammer's use of a trusted brand lures the victim into a false sense of comfort. In this state, the victim makes a quick, reactive decision to click the link. Nobel Prize winning economist Daniel Kahneman calls this System 1 thinking - nearly instantaneous, automatic decision-making. When our brains utilize System 1, our critical thinking goes out the window, replaced by rapid, instinctual decisions. Hackers know and leverage this behavior.
By creating a false sense of urgency, attackers can convince victims to take actions that they wouldn't normally take. This includes falling for a phishing email or sharing sensitive information over the phone. When we feel pressed for time, we are more likely to rely on mental shortcuts, which make us more susceptible to social engineering techniques.
Hackers use urgency against us in many ways. As an example, they may pretend to be your bank with a warning email that there is a problem with your account, and funds will be lost without immediate action. This creates a sense of panic and makes people more likely to do exactly what the scammer desires - clicking on that link or handing over a password.
In another version of this attack, the scammer will take impersonate a family member and claim they've got an urgent need for cash. This works particularly well when the hacker sees a social media post showing that someone's children are on vacation in a foreign country. Sometimes all it takes is a quick call to Grandma with a fake story about young Johnny being in trouble in Mexico and needing cash immediately. And since you're wondering - yes, they can find Grandma's information, too!
Ultimately, humans do not react the same at all times. There are times when we are relaxed and focused and would never click on a phony email. But there are times when we are stressed and blowing through a giant inbox, and we can easily fall for a phish.
Since successful social engineering attacks against your employees rarely succeed due to a victim's lack of knowledge, we need to solve this problem from a behavioral standpoint. This means we have to train users in safe online behaviors to avoid these hacks.
When an employee receives an email that appears to come from a trusted source like a LinkedIn notification, the safe behavior is to open up a browser and go directly to LinkedIn's site to accept that friend request or react to a client's post. There is no need to click that email link - ever!
Similarly, when an employee receives an email that appears to be from the CEO requesting an urgent wire transfer, the safe behavior is to verify with another executive first and follow internal protocol for wire safety. The cost of a lost wire transfer is far greater than any delay in verifying the request's legitimacy.
Now for the good news - INFIMA trains your team on the safe behaviors designed to keep your organization and your people safe.
Rooted in Behavioral Science, INFIMA focuses on removing unsafe behaviors in your team and replacing them with consistent, safe practices. Through regular phishing simulations, your employees experience varying tests across multiple emotional states.
And the best part - we make it easy with our fully automated Security Awareness Training platform, built for the MSP community.
If you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!
Photo by Ante Majic
Join the newsletter to receive the latest updates in your inbox.