Social Engineering – Why Are We Still Fooled By Phishing?
Today’s blog is a guest post from Terry Gudaitis from Mindstar Security and Profiling. She discusses NCSAM’s week 3 (Oct. 17-21) theme, recognizing and combating cyber crime.
Phishing was first detected in the mid-1990’s and has been prolific since the mid-2000’s. We have received warnings, alerts, and training for at least a decade on how not to fall for a phishing scam, but people still do. Whether it is an email from a Nigerian Prince, a very authentic looking yet fake request to reset your banking password, or a more directed communication (defined as spear phishing or whale phishing), people are clicking links, opening attachments, and being scammed by the phishers. In many cases, smart, well-educated, and well-trained people are lured into these scams. Why? Why is this still happening?
The answer is psychology. As humans, we can’t help ourselves. There are just some lures, temptations, bait, and traps that we will succumb to – even though somewhere deep down unconsciously we may know there is an inherent risk. While there is a wide range of scams today – phishing, 419s, pharming, “honey lures,” pretexting, vishing, SMSishing, and ransomware (just to name a few), all of these often successful cons rely on social engineering to accomplish their goal. An industry accepted definition of social engineering is:
Human or social/psychological based methodologies used to persuade, coerce, or manipulate others into acting or behaving in a manner that will provide the adversary access to sensitive, private, or confidential information. The methodologies may include face-to-face or technology based tactics, direct or remote assessment, observations, interpersonal communication, lures, schemes, or traps to elicit or plant information.
Let’s look at the psychology of phishing and the use of social engineering by adversaries. Recognizing the threat actors’ tactics, techniques, and procedures (TTPs) can help you recognize and combat future scams.
The basic psychology and principles of social engineering date back to the 4th century BC when Aristotle wrote “The Art of Rhetoric” or Ars Rhetoric. Aristotle’s theory focused on three primary modes of persuasion – ethos, pathos, and logos. Relating his theory to modern phishing and social engineering, his principles can be defined as:
- Ethos is an appeal based on the presumed authority or honesty of the communicator or social engineer (SE). Its success depends on how well the SE convinces the audience that he or she is qualified to communicate on the particular subject.
- Pathos is an appeal to the target’s emotions. It can be in the form of metaphor, simile, a passionate delivery, or even a simple claim that a matter is unjust. Pathos can be particularly powerful if used well, but most communications do not solely rely on pathos.
- Logos is logical appeal, and the term logic is derived from it. It is normally used to describe facts and figures that support the SE’s scheme. Since data is difficult to manipulate, especially if from a “trusted source,” logos may sway cynical listeners.
Apply this to any phishing example and you will see elements of ethos, pathos, or logos, or the combination of all three persuasive techniques. We fall for these tactics because people have emotional and/or physiological reasons for complying with the phisher’s message.
Emotionally, humans are attracted to the phishing message because they want to feel good about their response or because they have a deep-seeded need to respond to such a lure. Some examples of basic emotional motivations include:
- Desire to complete a task and get the job done
- Not wanting to be left out
- Wanting to be helpful
- The “I must have” factor – fear of memory loss (i.e., I must have forgotten about that account with PayPal, so I will go ahead and re-enter my credentials)
- Empathy and willingness to break the rules
- Ease and laziness
- Fulfill a want, a need, or a void (desire for social relationships)
- Desire to believe in the “free lunch” or financial windfall (financial gain)
Humans will even react to a poorly crafted message with elements of ethos, pathos, and logos due to physical variables impacting their decision-making skills. Physiological interference with accurate message reception can involve: fatigue; illness; injury; pain; or, multi-tasking. When the human body is tired or in pain, some of our focused senses are distracted and we may be more susceptible to persuasive or coercive tactics. Likewise, as we go about our day at work or at home, there are sometimes so many things we are trying to juggle at once, that we experience a moment of weakness when that 5th or 10th task involves reading an email that is fraudulent – and in the spirit of getting that one task done, we fall for the email and act on it by clicking the link, downloading the attachment, or re-entering our usernames and passwords.
Phishing over the years has evolved past the simple foundation rooted in ethos, pathos, and logos. In addition to the basic psychological ruses, some more sophisticated examples of phishing employ the underlying techniques of magic, illusion and deception. When psychological based social engineering persuasion techniques are used, the target or victim is sometimes aware of the sensitive nature of the requests – “please re-enter your password” or “provide your login credentials.” However, the art and psychology of deception does not bluntly make those inappropriate requests. Deception in phishing is more analogous to a magic trick. We all know it is a trick, but through methods of illusion and slight of hand, we believe it. The real difference is, we enjoy being duped by a performing magician on stage – we even enjoy trying to figure out how the trick was done. But for some reason, the deceptive techniques and slight of hand used in phishing (e.g., through email, SMS, phone messages) are not scrutinized because sometimes there is an element of truth in the communication (yes, you do use that bank or yes, you did shop at that popular online store).
Hover your mouse over the link in a phishing email and “behind the curtain” you will see the redirection. Look at the header of the phishing email and you will see the point of origination isn’t really the legitimate IP address of the bank sending the email. This phishing slight of hand is purposely done to provide what is called indistinguishability. In order to deceive, phishers must make observable objects within their communication look real including the logos, the sender information, the links, or the attachments. Upon first glance, the victim may see legitimacy (a combination of ethos and logos) in the email, the added deception of hiding information such as the link destination further convinces the user to behave or act in a certain way.
The combination of social engineering tactics to lure users through the principles of ethos, pathos, and logos, combined with deception, increases the probability that humans will continually fall for phishing – particularly if their emotions are ripe or have a physiological vulnerability which makes them more susceptible. It is difficult for most humans to live in a state of suspicion and paranoia. Thus, phishers will continue to scheme and scam likely targets and have success.
In order to combat our human weaknesses, the detection of email scams, phishing attacks, and other types of electronic ruses should be a combination of 1) increased human awareness; and, 2) automated detection tools that can be objective without the pollution of emotion and physiology. There are so many scammers and new types of schemes every day. So remember, before clicking a questionable link or opening a suspicious PDF:
- Be careful;
- Ask questions;
- Attain the best phishing detection system/service possible; and,
- A pinch of paranoia doesn’t hurt!
By Terry Gudaitis, Mindstar Security & Profiling
Mindstar Security & Profiling is a concierge security company serving Family Offices and high net worth persons and their families. Our company provides customized security assessments and services combining physical security, cyber protection, and behavioral profiling. We work closely with each client offering boutique services including:
Threat analysis, Psychological Profiles and Investigations
Personal Property and Asset Vulnerability Assessments
Crisis Planning & Mitigation
Travel Planning and Protection
Due Diligence Profiles
Customized Security Training for Boardrooms & Family Offices