The Emotional Line of Defense
It is not breaking news that phishing is the leading cause of data breaches in the modern world. It is safe to ask why that is the case though, given how much of this email gets caught up in our spam filters and perimeter defenses. One trick sophisticated attackers use is triggering emotional responses from targets using simple and seemingly innocuous messaging to generate any response at all. Some messaging does not initially employ attachments or links, but instead tries to elicit an actual reply from the target. Once the attackers establish a communication channel and a certain level of trust, either a payload of the attacker’s choosing can then be sent or the message itself can entice the target to act.
It’s not a technology problem, it’s human nature
Human emotions are the critical security element technology cannot solve. Emotion often overrides critical thought, which is what the attackers are banking on. Whether it be fear, curiosity or a sense of urgency, your users are tasked with balancing emotional response with security policy daily. It’s not just when reading email either, but also when taking phone calls or dealing with other humans face-to-face. It can be a daunting task which puts many companies and organizations at risk. As security awareness professionals, you must take this into consideration in the messaging you are providing to end users.
Feeling that rush, there’s your sign
When a user starts to feel an overwhelming emotional response to a situation, this should be a clue that critical thinking must engage to properly verify the validity of the situation. Use the emotions as a warning sign rather than the instinctual emote-then-respond that humans naturally resort to. This is not an easy fix, but incorporating this recognition technique could be the difference between a compromised account, and a simple 5 second moment to request a review from the security/IT department.
According to some researchers, a sense of urgency and curiosity tops their list for most clicked phishing emails, whether it be delivery notices, compensation changes, or imminent account access issues. If the user is caught at just the right time of day, or in a particular mood, even to the most security-aware individuals can succumb to these attacks. This is why it is so important to instill the recognition of a user’s emotions into security training. You can communicate that it is ok to feel a particular way about a situation, but it does not necessarily warrant immediate response or action. In fact, the moment that overwhelming feeling is experienced, encourage them to take a second and start to evaluate why. Are the attackers asking the user to perform some action or else something dire will happen? Are they trying to pique interest in a known topic the target talks about openly on social media?
Attackers use what they know about you to get you
In a world of sharing one’s thoughts and interests publicly via a multitude of social media outlets, gaining insight into how someone “feels” about a specific subject matter is easier than ever before. Social media companies even work together to allow users to share this information across platforms with such ease it is almost inevitable that you will find a topic of interest for almost anyone if you look hard enough. Those bits of personal information can be and have been used with such success there is no sign of that technique going away any time soon.
To emote is human, and no training program is going to completely remove that tendency, nor should it try to. Instead, embrace the humanity of the situation and instill emotional recognition techniques to understand why a user feels a specific emotion and if that emotional reaction warrants the action that is being requested. If your users are doubtful about the situation, encourage them to ask a colleague’s opinion. It is well worth the time, and your users should be regularly encouraged and rewarded for critically thinking.
Written By: Ryan MacDougall