What races through your mind when you see “Coronavirus” or “COVID-19”? Fear, anxiety, curiosity… these internal reactions can prompt actions that we may not normally take. Recent attacks have been sending out mandatory meeting invites that ask you to log in to accounts. Others have been receiving emails to put themselves on a waiting list for a vaccine or treatment. The heightened emotions we experience when we see emails, or messages like this, may prompt us to give personal information out more willingly than we usually would. Security awareness takes a back seat as emotion takes over. It’s known as amygdala hijacking. Why does this happen to us?
Amygdala Hijacking in Cyber Security Scams
The amygdala is a small part of the brain that is largely responsible for generating emotional responses. An amygdala hijack is when something generates an overwhelming and immediate emotional response.
Many common cyber security scams use amygdala hijacking to their benefit. We see this used often in phishing, vishing, SMShing, and impersonation attacks. Chris Hadnagy of Social-Engineer, LLC did a case study on amygdala hijacking in social engineering.
Chris sent out 1,000 phishing emails that offered client employees the chance to enter a raffle to win 1 of 10 free iPhones. All they had to do was click on a link and enter the username and password to their computer. Seventy-five percent (750) of the employees clicked the link and entered their domain credentials.
This might seem shocking to those of us reading it. The phishing email itself seemed somewhat obvious. Entering domain credentials in this situation doesn’t seem logical. Why did so many people click? The answer can be traced back to the amygdala. When the employees saw this email with the offer of something free, they became excited. Their emotional response overrode their logic centers, and they clicked.
Out of these 750 names, Chris took 25 and called them. He claimed to be tech support for their company and informed them their computer was now laden with malware due to a phishing email that had just been clicked. To fix this he said he would need to direct them to a website where they can download a .exe and install it. He said this was a cleaning tool that would clean up the malware. It was actually a program that allowed Chris to access their desktop remotely. Amazingly, 24 of 25 of the employees downloaded and ran this program!
The emotion used to prompt the desired response this time was anxiety. The employee was nervous that their system had been compromised and was willing to implement the solution when one was offered. These two tests were extremely successful. Imagine if Chris had been a malicious hacker, rather than a hired security professional. He would now have access to 24 computers within this company. The risk and effort put in on his side was low, especially when compared to the payoff.
Amygdala Hijacking During a Pandemic
Keep this study in mind and think about our current world situation. Many feel anxious about loved ones, their health, and economic stability. This setting lends itself to scams that leverage amygdala hijacking. I am sure you can think of a time in the past when scammers used tragedy to their advantage.
News outlets all around are issuing warnings of COVID-19 scams that are circulating. Knowing the tactics is the start of preparing yourself to avoid these scams. We can protect ourselves if we just stop and think. If you feel yourself reacting emotionally to an email or a phone call, just give your brain a moment. By pausing, you will allow your logic functions to start working again and be able to make a more informed decision.
If you are not sure if the email is a phishing email or a legitimate one, there are a few things you can ask yourself to help your assessment: Who, what, when, where, and why?
- Who – Who sent this email? Is it from someone you know and trust? Is it from a service you use? If so, is the email address theirs?
- What – What is the topic of the email? If it is from someone you know, does it sound like them? If it’s from a service provider, is the grammar correct and the explanation clear?
- When – When was the email sent? Is it amid a global crisis? Or, early in the morning when you’re still sleepy? Make sure you aren’t clicking because of your current emotional or physical state.
- Where – Where is this link sending me? Roll over the link to see if it looks legit. If you are unsure, the best action is to go directly to the company’s site. For example, if this is a request for your password reset, simply reset it through their website rather than through the email.
- Why – Why do I want to click this link? Is there something in the wording that is making me feel a strong emotion? If so, look closely at the link before clicking.
Answering these questions may not give you a definitive answer as to if the suspected email is legitimate or not, but it will give you a better idea. When in doubt, trust your gut if something feels off.
Applying Your Knowledge
Now that you are familiar with amygdala hijacking and how it can be used against you; you are prepared to defend against it. Whether it’s COVID-19 or in any situation, when you receive an email, phone call, or text… just remember to pause and ask yourself, “who, what, when, where, and why?”. These simple questions can help you remain aware of not only your own emotional responses, but what the sender is requesting as well. Being aware keeps the control in your hands.