The Psychology of Phishing

[Inspired by an article in the Kaspersky Lab Blog by Anastasia Gridasova linked here.]

If I was to drop the words vulnerability and cyber-security in a conversation, most of my audience would consider errors in programming and security “loopholes” as being the only weaknesses that could be exploited. However, in many cases, the human users of computers are, in themselves, the “weakest link”. We all to a greater or lesser degree have vulnerabilities built into our brains that criminals will exploit for their own gain. These exploitation of these weaknesses are categorized under a broad term of “social engineering” another term you probably have heard being used in IT circles.

Anastasia Gridasova, a qualified psychologist and researcher at Kaspersky Labs (a big cyber-security firm who brought us Kaspersky AntiVirus), recently wrote an article on the Kaspersky Lab blog, that provided me with some valuable information regarding the “Spear phishing psychology”. I used a lot of the information and subject matter in this article. All credit goes to her.

It might seem a bit of a misnomer to imply that the term “social engineering” is not “engineering” nor is it “social”, but essentially social engineering is a method that uses both sociology and psychology – to manipulate human beings into performing a certain way by creating a specific environment that exploits 4 base human emotions: Curiosity, Empathy, Fear and Greed (the last one being my personal favourite) In other words, social engineers are skilled in exploiting peoples’ fears, emotions and reflexes, to get them to do what they want them to do – that is to part with useful and sensitive information.

I concede that some politically-correctness advocates might insist that I am wrong in calling these “vulnerabilities” as they are normal, natural human emotions, but when these emotions are exploited to the detriment of potential victims, they are vulnerabilities. Emotions can be manipulated to sway the victims in such a way that they respond automatically, without sitting back and first thinking and analyzing the situation.

These cyber-criminals have many tricks up their sleeves, so some of their methods will work better on some people than others.

Reverence for Authority:

Anastasia talks about a “cognitive bias” in her article that controls behavior, perception and thinking. We all have a tendency, to a greater or lesser degree, to obey those people with higher degrees of experience or power, while ignoring our own judgements about the validity of our superiors’ actions.

When you are driving down a highway, abiding by the speed limit, and you encounter a traffic cops driving slower than the speed limit, your natural urge is to drop your speed and travel slower because of your cognitive bias for the authority that the traffic cop represents.

In phishing attacks you might get an e-mail from your boss. If this mail instructed you to film yourself dancing in nothing but your underwear, and then to send the video to 10 friends, you might think twice before complying. But if your “boss” is asking you to open up an attached document and provide them with some sensitive information, you might be more inclined to open up the attachment.

A Sense of Urgency:

Creating a sense of urgency is one of the most popular psychological manipulation techniques employed by social engineers. They use fear and an overt sense of urgency to coerce their victims into making “on-the-spot” decisions. Does the phrase “An attempt was made to access your account. If this was not you, click this link immediately…” ring a few bells? When the clock is ticking, the probability of succumbing to instinct and making an “emotional decision” rather than a rational one is greatly increased.

E-mail messages that scream “urgent” and “IMPORTANT” (all in caps) fall into this category. In some cases trigger words are highlighted in red – the colour of danger, to enhance the effect.

Unconscious Actions:

In psychology the term “automatisms” are defined as instinctive actions taken without the direct conscious involvement of the conscious mind. I learned that unconscious actions can be primary ( for example, snatching your hand away from a hot stove plate) or secondary (trying to open a door with a sign that says “Pull” on it when you are Push-ing) Social Engineers try to trigger or force unconscious actions when sending phishing e-mails. These include “Failed to deliver e-mail…Click to Resend” messages. There are also annoying newsletters with large “Unsubscribe” buttons and fake notifications about new comments on social networks (@realDonaldTrump has liked your tweet)

I saw a small program once that had the [OK] and [Cancel] button deliberately swapped. I found myself clicking on [Cancel] more often when I intended to click on [OK]. My own “automatism” was at work.

Unexpected revelations:

This is another common method employed by social engineers. Our psychological makeup creates a tendency to accept information packages as an honest admission to be seen less critically than if it was discovered by yourself.

As an example, you get a message that says: “We regret to inform you that we have suffered a password leak. Please click the link to see if your are on the list of those affected”. This message would be far more readily accepted than finding out yourself that your password might have been compromised. It is the old “blame game”. It is better that someone else came get the blame for your own mistakes.

How to protect yourself against these common social engineering tactics:

From the outset we all need to realize that the perceptions and tendencies, which play into the hands of cyber criminals, are biological. They are part of the human brain’s development, and helped us for thousands of years to adapt and cope with the world. These vulnerabilities developed out of our lack of critical thinking skills – the mob mentality – but we can all help ourselves spot these nefarious manipulations by knowing a bit about human psychology:

Read messages from persons in authority with a critical eye: Ask yourself: Why is my boss asking me to open a password-protected ZIP file and giving your the password in the same e-mail? Or why would Human Resources address you in an e-mail as “Dear Client”and asking you to confirm your bank account details if they have that already on record? If something looks odd, it probably is. Clarify there request by using a different communications channel like picking up the phone and calling the sender to check!

Do not react immediately to messages demanding “urgent” action: E-mail by its very nature is a quick and efficient means of communication but it is not instant, nor is it ever urgent! (E-mail can remain unread for days or months!) Fight your natural instinct to panic. Check the sender, domain and the link (by hovering your mouse pointer over it and not clicking) before clicking on anything. If you are still in doubt, get in touch with someone who might be more knowledgeable – like Information Technology.

If you notice that you have a habit of automatically responding to some types of messages, run through your typical sequence of actions again, but this time consciously. Take a deep breathe and pause before clicking. If it is your habit to check your e-mail first thing in the morning when you get into work, change your routine, if you are stressed or preoccupied. This can help to de-automatize your responses by activation your conscious mind at the right moment.

Check your sources: Don’t be afraid to ask questions even if you feel people might think that you are stupid or paranoid. Most computer geeks are actually quite pleasant and approachable, unless they are really busy or under pressure. In most cases I have found that they are quite willing to answer your questions or concerns. Your question might actually be helpful to them, by making them aware of a potential threat that they might not have been aware of.

Stay safe out there…