Phishing — what do cybercriminals know about us?20 June 2020
Our fear, stress and uncertainty lower cyber defences.
When you clicked to read this article, you may have assumed we would be exploring the information available on the dark web. Or perhaps we would be looking at statistics on breaches, compromised passwords and scams in 2020.
Actually, we are going to explore something far more valuable – what scammers know about how we operate as humans, our fundamental drivers, and our most innate response to situations.
We will look at how they use this knowledge to create convincing phishing attacks and manipulate the action we take.
In understanding this, we can anticipate rises in topic-specific phishing activity and undertake the necessary preparations for it. We can also consider how to use this knowledge of human response factors to influence company-wide phishing campaigns.
Our current global reality
We are a world in crisis. The global coronavirus pandemic has resulted in changes to how we behave and interact, and how we live and work. These changes have been sudden, and the effects will be long lasting.
From a psychological perspective, it is widely known that when people are in crisis they absorb, process and act on information in a different way.
We know this…and so do cybercriminals.
Relying on a state of uncertainty
The starting point in any new situation or crisis is uncertainty. As the pandemic has developed over the last three months, we have seen an evolution in the information available about the virus – from how it spreads to who it affects to how it can be cured.
In the beginning, there were more questions than answers. At this stage the full magnitude of the situation was unclear, the cause was unclear and what people needed to do was unclear. Our psychological response to reduce the ‘anxiety’ surrounding this uncertainty was to seek out information, either to broaden our understanding, determine our options or to confirm or disconfirm our beliefs.
Cybercriminals know that people will seek out information from any source to allay their fears.
This is why there was a 350% increase in the creation of fake coronavirus sites during the first three months of 2020. It also helps explain Google’s revelation that it blocks an average of 18 million coronavirus-themed emails every day.
These fake sites and associated scams are a fertile ground for cybercriminals looking to infect victim’s devices with malicious software, or to harvest sensitive or personal information or login credentials.
One such attack discovered by IBM researchers involves phishing emails containing malicious documents disguised as information about coronavirus relief payments. When the attachment is opened, the victim is encouraged to enable macros, releasing the Zeus Sphinx malware onto the victim’s device.
Zeus Sphinx inserts malicious code into browser processes, which redirects victims to fake domains when they try to visit financial websites. The malware then steals the victim’s credentials, such as usernames, passwords and banking details.
Manipulation of fear
Fear is another psychological consideration that is manipulated by cybercriminals. In a state of crisis, fear is a common human behavioural reaction. And this fear may make people act, or react, in ways they wouldn’t usually.
Cybercriminals know this.
They know people will open emails they wouldn’t ordinarily open as it may contain a nugget of information. They know people will follow links on social media posts because it looks like something new about the situation. They know people are more likely to ‘share’ these posts across their social network, from a basis of genuine desire to help others with the fear, uncertainty and perceived lack of information.
It is a scammer’s paradise.
When people experience stress, this releases a hormone that impairs the processing ability of areas of our brain. We can experience cognitive overload, and when in this heightened state we can miss nuances in any messaging.
Cybercriminals know this and therefore know that more of their phishing scams are likely to be successful.
People are in an enhanced state of awareness that is focused on the crisis, not on the fact they may be victims in a crime.
Stress may also mean people do not retain as much information as they usually would. This pushes them into a cycle of continuous information gathering, giving cybercriminals more opportunities to manipulate and trick potential victims.
Our working environment
In the UK, government advice is to work from home wherever possible. This is a reality for a huge number of people. Commonly, our home security arrangements are not as sophisticated as those in the workplace, and our reliance on mobile devices has increased.
Cybercriminals know and manipulate this.
A recent report from Lookout, based on data from 200 million mobile devices worldwide, found that, globally, mobile phishing attacks increased by 37% in the first three months of 2020. There is a direct correlation between this spike and the number of people working remotely and increasingly relying on their mobile devices for both personal and business purposes.
While sectors such as healthcare, government organisations and manufacturing have been targeted in these mobile phishing scams, many attacks are designed to harvest individuals’ banking credentials.
Increase in Business Email Compromise (BEC)
BEC attacks have been around for many years and have been an increasingly popular actor vector, and scammers are using the new ‘working from home’ requirements to their advantage.
BEC typically involves the attacker impersonating a senior executive to request an urgent transfer of money. Attackers are now relying on employees not being able to confirm requests from executives when they are working remotely.
Even before the pandemic BEC had increased, with a 269% rise in the last quarter of 2019. We are likely to see further attacks as 2020 progresses.
So how can we use this knowledge?
Cybercriminals take advantage of our basic human response mechanisms when faced with fear and uncertainty. They manipulate our desire to help others and they capitalise on changes in working environments that force people to interact in alternative ways. They are successful at what they do.
In managing a company-wide phishing campaign, you too could utilise this knowledge.
You could change the language you use when talking about phishing – reframe it as the company crisis and manage the messaging on the reality for your company.
Some questions for you to consider:
Keep learning and messaging simple, credible, and consistent. Remember that user-led learning is always more successful and impactful.
Micro-messages that are short, sweet and to the point will also help your people to engage, retain and share the information.
An effective message must also do the following: Be repeated, come from multiple credible sources, be specific to the crisis and offer a positive course of action that can be executed.
We are all human, we have our basic drivers and human responses. Cybercriminals know this and will use this — let’s play them at their own game and use our understanding of human nature to turn our potential weaknesses into our strength.
Phishing — Ease your pain
We speak with information security professionals like you. And you say phishing is your number one pain.
See ‘Phishing — Ease your pain’ to find out how you can drive the behavioural change your organisation needs.