Have you told your suppliers lately that their security is important to your business?
November 14, 2018

Hackers act on emotions, too, you know…

Hackers act a lot on emotions. But that doesn’t mean you should sympathize with them. The best hackers and scammers (lets call them attackers) understand YOUR emotions, and act on them to get you to do things you wouldn’t otherwise do.

You might think there are just a few ways that attackers (acting in a “social engineering” capacity) might try to trick you by making urgent requests, or threatening you with penalties if you don’t do what they ask. But you should be aware that they can use almost any emotion against you, especially if they know a little information about you…

 

Have you ever — or could you ever — experience one of these emotions?  

 

When I teach cybersecurity awareness courses, I often put up a slide with this list of emotions that attackers might use to prompt you to respond without thinking:

  1. Greed or desire to obtain more of something
  2. Laziness
  3. Ambition
  4. Impatience
  5. Curiosity
  6. Fear of financial loss
  7. Fear of lost productivity
  8. Fear of disciplinary action
  9. Curiosity and desire for knowledge
  10. Fear of technology
  11. Fear of embarrassing information exposure
  12. Desperation from addictions, financial problems
  13. Sympathy for others in difficult situations
  14. Vanity and pride
  15. Eagerness to help
  16. Generosity
  17. Courtesy and manners
  18. Desire to resolve uncomfortable situations
These are just a few that I have been able to identify that attackers can readily use against you.
In particular, if attackers know any of your likes, dislikes, habits, ambitions, etc., they can craft email messages, phone inquiries or other types of fictitious situations (called pretexts) that you are unlikely to stop and question.
This gives attackers a much higher likelihood of succeeding in getting the information or access they are looking for to progress toward their ultimate objective, because you are likely to act on your emotions without thinking about the situation as anything other than what it appears to be.

A simple question to ask yourself…
The next time you’re responding to a request of any kind that causes you to take an important or unusual action, take a moment to just think about what emotions it is causing you to feel, and then ask yourself, “Could this be somebody trying to influence me using my emotional responses?”

This could help you avoid or prevent an unintended incident.

 

Security Tips

1 – Individuals and employees: Think about what the person approaching you is asking, and how it makes you feel. Is it something you would normally do, or are your emotions being hijacked?

2 – Managers: Make sure employees are aware of how attackers might try to approach them for certain types of information or access. Most people feel they are not targets because they don’t have information that they consider to be valuable. However, attackers often use people on the periphery, or in a “supply chain”, who are likely to be less protective of information.

It can be hard to teach people about emotional responses targeted by attackers. So, scenario-based training, gamified exercises and simulations are good ways to help people recognize the kinds of situations that may be high risks for your organization.

Please contact me if you think your organization would benefit from receiving training and exercises to help them learn about social engineering threats and defenses – either live or via Click Armor, our new “gamified eLearning” solution for improving engagement and knowledge retention of important cybersecurity concepts.