What makes these attacks so successful is the underpinning use of psychology. In some ways social engineers use tricks and manipulation to better their cause, but more fundamentally, they are wielding well-honed social savvy, known human errors and influence to cue into how people will think, feel and react. This is what separates the good, the bad and the ugly in phishing attacks. The “click here” emails without any context, sent by a mystery Prince will most likely result in a press of the delete button, but by using a few simple psychology techniques such as developing a pre-text (“please fill in this quick survey about your current understanding of quality management”), context (“to help us gauge knowledge levels”), scarcity (“the survey will expire in ten minutes”) and authority (“signed, Head of Quality), a hackers click rate is bound to be higher.
Closely related to influence and psychology is a behavioural science concept that helps us make sense of some of the complexities of human behaviour and how people come to decisions. Daniel Kahneman writes about a process of ‘thinking fast and slow’[ii] otherwise known as System 1 and System 2 thinking. Put simply, it’s the distinction between automatic and deliberate thought processes:
- System 1 is the brain’s fast, automatic, and intuitive approach. Normally influenced by emotions and instinct, system one activity includes answering simple maths questions, i.e. 2 + 2 = 4 or those impulse buys on a whim.
- System 2 is the minds slower, analytical mode where reason dominates. It is activated when we require concentration or some mental exertion.
Now, I’m not suggesting every hacker has a degree in psychology or behavioural science, but they can be known to take advantage of these systems, without even realising themselves. Those phishing emails pertaining to be your boss who is in “urgent need of help” and just so happens to misplace your mobile number evokes feelings of urgency, resulting in quick system one thinking and your number being sent. Similarly, that email stating that a “dog has been injured in the car park, who’s is it…please find picture attached” not only plays right into system one by inducing an immediate emotional reaction, but also into humans’ natural empathy.
So, how do you protect yourself and your business? Engage system two. Opposite to the popular saying, think first, act later…
- Peel back that veil of trust you may have for everything that lands in your inbox and check your source – that email address might be something nefarious behind the display name.
- If you can utilise another method of communication to contact the person being impersonated, do!
- Get a colleague’s opinion on it (although please don’t go around forwarding malware).
- And if it sounds too good to be true, it probably is!
Looking at the wider picture, psychology and social engineering are so intertwined, yet many businesses seem to neglect their biggest vulnerability, people, in favour for technological solutions. If your employees understand how humans make decisions, they can start to process how a malicious actor can use psychological principles, cognitive biases, and the art of social engineering to get them to take an action that is not in their best interest[iii]. Courses, internal training, even simple reminders that phishing can come in all sorts of mediums with varying messages should help to defend against the human hacker. After all, knowledge is power.
[i] ‘Cost of a Data Breach Report 2021’, IBM Security
[ii] ‘Thinking, Fast and Slow’, Daniel Kahneman
[iii] ‘Human Hacking: Win Friends, Influence People and Leave Them Better Off for Having Met You’, Christopher J. Hadnagy