Humans are the gatekeepers of security. With the right training and support, they are our strongest weapon against cyber threats. However, a lot of employees don’t receive the correct support which then can make them extremely vulnerable. This is especially true when cybercriminals have become quite savvy in their attempts to lure vulnerable people in and persuade them to click on a link or open an attachment.
Phishing attacks are one of the primary attack vectors used by malicious actors in order to trick users into releasing personal data and other sensitive information. Phishing attacks are part of a broader technique known as “Social Engineering”.
What is Social Engineering?
Social engineering refers to the psychological manipulation of human behavior that makes people act in certain ways or divulge confidential information. It’s a technique that exploits our cognitive biases and basic instincts (e.g. trust) for the purpose of gathering information, fraud, or system access.
Sometimes referred to as “human hacking,” social engineering is the favorite tool of hackers worldwide. While this was historically practiced face-to-face, over the phone, or through printed writing, social engineering nowadays occurs on massive scales through social media and other internet platforms. The revelations regarding Cambridge Analytica’s use of Facebook data are only one indication of the potential threat of social engineering.
Social engineering techniques are based on specific attributes of human decision-making processes known as cognitive biases. These biases, sometimes called “bugs in the human hardware”, while they help the brain in taking shortcuts to quickly process information, they also leave us open to exploitation through social engineering. For instance, representativeness is our tendency to group similar-looking stimuli together. Each time we see a car, we don’t have to remember the specific color or make. Our brain looks at the object, sees its four wheels, movement, and general shape, and says “car.”
Social engineers exploit this bias in the cyber domain. For instance, we might receive many emails from Apple, Amazon or our bank, but we’re not necessarily going to look too closely at a false one with the same logo. Our brain will just say “Amazon email,” and click on a link or type in our credit card number.
Social engineering relies heavily on the six principles of influence established in Robert Cialdini’s “Influence: The Psychology of Persuasion”:
- People tend to return a favor, hence the pervasiveness of free samples in marketing.
- Commitment and consistency. If people are committed to an idea or goal, they are more likely to honor that commitment because it’s now congruent with their self-image. Even if the original incentive or motivation is removed after they have already committed, people will continue to honor the agreement.
- Social proof. People will do things that they see others doing.
- People will tend to obey authority figures, even if they’re asked by those figures to perform objectionable acts.
- People are easily persuaded by others that they like.
- Perceived scarcity will generate demand. For example, by saying offers are available for a “limited time only,” retailers encourage sales.
What is Phishing?
Phishing is a cyber attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need — a request from their bank, for instance, or a note from someone in their company — and to click a link or download an attachment.
What really distinguishes phishing is the form the message takes: the attackers masquerade as a trusted entity of some kind, often a real or plausibly real person, or a company the victim might do business with. It’s one of the oldest types of cyberattacks, dating back to the 1990s, and it’s still one of the most widespread and pernicious, with phishing messages and techniques becoming increasingly sophisticated.
Some phishing scams have succeeded well enough to make it to the headlines:
- Perhaps one of the most consequential phishing attacks in history happened in 2016 when hackers managed to get Hillary Clinton campaign chair John Podesta to offer up his Gmail password.
- The “fappening” attack, in which intimate photos of a number of celebrities were made public, was originally thought to be a result of insecurity on Apple’s iCloud servers but was, in fact, the product of several successful phishing attempts.
- In 2016, employees at the University of Kansas responded to a phishing email and handed over access to their paycheck deposit information, resulting in them losing pay.
What is Spear Phishing?
Spear phishing involves highly specialized attacks against specific targets or small groups of targets to collect information or gain access to systems. For example, a cybercriminal may launch a spear-phishing attack against a business to gain credentials to access a list of customers. From that attack, they may launch a phishing attack against the customers of the business. Since they have gained access to the network, the email they send may look even more authentic and because the recipient is already a customer of the business, the email may more easily make it through filters and the recipient may be more likely to open the email.
The cybercriminal can use even more devious social engineering efforts such as indicating there is an important technical update or new lower pricing to lure people.
How Can You Protect Yourself?
Jenny Radcliffe “The People Hacker” offers some valuable advice on how not to be phished:
“The basics are still very important to keep safe from Social Engineers and being careful what information we put about ourselves online makes us less of a personal target for scammers. People should lock down their social media accounts so that not all their information, and especially identifying or location information is available to everyone, changing settings to “friends only” is a good start, as is being careful whom we accept as contacts online. Most importantly, whether online, over the phone or in person, when someone asks about money, makes us emotional or asks us to take action for them, whether clicking on a link, giving information or doing something on another person’s behalf, we should take time to verify the person independently and check whether or not they are legitimate. These basic steps would stop a lot of social engineering from doing financial or personal damage.”