We don’t fall for spear phishing because we’re idiots — it’s because we relax behind our email, and because we’re decent people. But, experts say, to stop clicking our way into hackers’ traps we’ll have to start thinking more like criminals.
“Attachments and links from innocent-looking emails can lead to serious network compromises,” the study said. “The success of social engineering attacks, such as phishing and spear phishing, usually rely on gaps in human judgment rather than technological missteps.”
Colorado Springs cyberpsychology expert and CEO of Handshake Leadership Erik Huffman said the risk is immense. In one of his studies, 74 percent of hackers said phishing is the easiest way for them to get into an organization. Another survey he conducted in 2018-19 showed no one is immune.
Everyone clicks the link
“The unfortunate truth is it doesn’t matter if you’re a cyber professional or not. I conducted a study of well over 1,000 people and everyone clicks the [malicious] link at the same exact rate,” Huffman said. “There was no difference between cyber professionals and the everyday working individual.
“Because you’re a nice person, you’re a good person, because you’re helpful — you’re vulnerable. And that has nothing to do with your technical acumen; it has nothing to do with you understanding cybersecurity or not.”
It’s all about the psychology.
Attackers sending spear phishing emails always disguise themselves as someone you know or trust, Huffman said, “and that’s where things begin to get difficult.”
Hackers know which triggers will manipulate you into clicking a link, and they understand how you read and process information.
“The scary part is, behind a computer screen, you’re reading a message in your own voice,” Huffman said. “You don’t read in the voice of some guy deep in his basement, drinking Mountain Dew, Cheeto dust everywhere. You read in your own voice, so you’re reading this malicious message in a friendly, comfortable tone — which means it doesn’t come across as malicious, because in your brain, biologically, everything is okay.
“You don’t see a phishing email and duck away from your screen. It doesn’t read ‘stranger danger,’ especially if they spoof the names, especially if it comes across as ‘Mom’ or ‘Dad’ you might even read it in their voice — which is friendlier.”
And that, he said, is an even scarier prospect.
“You’re trying to deductively reason your way through the scenario, and all they have to do is fool you once. If you get a fake message or phishing message from ‘Mom,’ you’re not immediately thinking, ‘No, this is fake, Mom doesn’t really need help.’ That’s just not your initial reaction. Your brain starts to fire: ‘I want to help. I need to help.’”
Whether it’s an email from ‘Mom’ or an email that purports to come from your chief financial officer, the consequences of taking the bait are grave.
IBM’s X-Force Report, released last month, showed phishing campaigns are making heavy use of targeted Business Email Compromise scams to conduct unauthorized transfers of funds, or steal personally identifiable information or W-2 forms for employees. They accounted for 45 percent of the phishing attacks tracked by X-Force.
Last July, the FBI announced that BEC and email account compromise claimed 41,058 U.S. victims and $2,935,161,457 in losses for U.S. victims between October 2013 and May 2018. Those figures were drawn only from victim complaints where a country was identified to the Internet Crime Complaint Center.
Even without venturing into billions of dollars in losses, the business impacts are painful, Huffman said.
“This can definitely impact your business. Once they get access to you, they can get access to someone else,” he said. “It’s kind of a hop. It creates a chain — we’re all connected — and once you allow someone into your personal account, they can get access to your business account. Or if they get access to your business account, they can get access to your personal assets as well.”
Tackle it differently
The fact that cyber professionals click on malicious links just as often as the rest of us doesn’t mean that awareness and training aren’t the answer, Huffman said. It just needs to be tackled differently.
“We do cyber awareness in regards to cybersecurity; we don’t do self awareness in regards to how you feel,” he said — meaning it’s not on the radar in an informal setting.
“We’ve made email an informal setting, and a place where our guard is down,” Huffman said.
And that’s a problem.
“You don’t get suited and booted to go read email,” he said. “You’re comfortable behind your computer screen — and you’re vulnerable because you’re comfortable.”
The key is to slow down, and to be more skeptical.
“You’ve definitely got to slow down,” he said. “Understand that the fight or flight system in your brain is not active at this moment. It’s really a game of chess now. You have to reason your way through it.
“You have to look at the email address — is it actually from the person that I think it’s from? You have to read the message again and say, ‘Okay, they want me to send this information. Why would I have to send this information?’
“The phishing scams are getting good now. That’s why cyber professionals click on them too.”
In that light, network security is critical.
“What businesses don’t understand is that it takes, on average, 90 days for a cyber professional to detect that an attack has happened,” he said. “Someone can sit in there and steal information for weeks, for months, or even for years. If I’m a hacker, the biggest thing I need to do is just not be detected.
“Understand: Basic network security, firewalls and antiviruses would help a lot, because you won’t even know that something has happened months ago — until something really bad happens today.”
Huffman doesn’t like fear tactics when it comes to cybersecurity, he said, and the message he tries to send out is simple.
“Understand you’re vulnerable because you’re a person — not because you’re stupid. Just take time, slow down. … They’re fooling you because you’re comfortable.”