“My work involves online dating, but I believe almost every behaviour exhibited online has an offline corollary. Really, the medium doesn't change human nature.”
- Sam Yagan
American Internet entrepreneur, Co-founder of OkCupid
With an exponential increase in the number of cybercrimes against the unsuspecting (and sometimes suspecting too!!) internet users, it has become necessary to understand the root cause of this. This blog post attempts to dive deeper into the psychological factors that play a crucial role in not only making the various cybercrime avenues a grand success, but also encouraging the cybercriminals to think of new ones.
There has been a lot of research on criminal psychology and I am sure the same will hold good for a cybercriminal as it does for a serial killer preying upon hitchhikers on a lonely stretch of road. It is the other end of the spectrum that has to be studied in greater detail. Only when we know the various factors that make a good potential victim, will we be able to help protect them.
Long story short, we need to know what goes on in someone's mind that converts them from a general internet user to a victim of a cybercrime. To draw a technical analogy here, it’s only the servers and systems in our perimeter that we can patch and strengthen rather than attempting to eliminate the threat of hackers.
So yes, we are endeavoring to patch the human brain against cybercrime!!! And I realize that it is a tall order.
ALL of us are potential cybercrime victims. Some of us are potential cybercriminals too, but that is beyond the scope of this blog post.
The first and foremost thing to do when trying to social engineer a victim is to attract attention. The cybercriminals are constantly finding new ways and means to grab eyeballs.
When I started conducting end user awareness training for cybersecurity at Risk Quotient, it was these tactics that I kept in mind. The training program was then developed to ensure that the audience sees and hears about enough social examples. This helps them be a little more conscious when responding to phishing emails.
As human beings we have three fundamental emotions towards things and events in our lives. It is these three emotions that make us human. We react with need, greed or fear. In the worst case a fourth emotion may peek through - complete and utter “apathy”. However, apathy is the worst-case scenario and it is not our natural go-to reaction.
When we read a phishing email or text or when we receive a vishing call, we react to one or more of these emotions. One or more of these emotions are dominant in an individual determining the way he/she will react to the phishing attempt.
Cybercriminals design their attack strategy to appeal to these emotions. Map the phishing attacks to these basic emotions and you can reach a conclusion about how these attacks are strategized.
Need is a very broad term and refers to the things that we as human beings need, and this should not be confused with our wants. Need could be of various types:
To be a good person –a person tends to be empathetic towards others troubles and struggles.
Need of material things- house, car etc.- want of basic non-luxury life essentials
Need to be healthy – wish to get rid of physical ailments
Need to be normal – wish to get rid of physical abnormalities/disfigurements
Phishing emails with following subject lines prey on people with genuine need:
Help a child eat a meal a day
Donate for the environment
Buy a house for just….
Drop 20 kg in a month
Get rid of that hunchback
Book a Vaccine slot.
Grow your hair back
This is a negative emotion. It refers to wanting more than what one has, knowing that what one has is sufficient. Some common examples of greed are:
And here are the phishing emails that target people with these wants:
Free latest iPhone
Free movie tickets for the next 6 months
Coupon to win some freebies
Earn USD 2000 a day from home
All the Nigerian royalty emails
Fear is a very difficult emotion to overcome or ignore. And that is precisely what attackers make use of. Fear maybe triggered as a result of any of the following events:
Warnings from authorities or law enforcement
Scareware – messages that say that something is wrong with the computer
By far, the easiest emotion to prey upon. Scaring is the easiest way to attract attention. Some common phishing emails that do this are:
Warning!! Last notice about your income tax filing
Notification about your bank account
We know your internet browsing history
Your computer is infected
While I talk about phishing emails you need to know that phishing may be carried out over emails, phone calls or even text messages.
Which emotion makes you most vulnerable, consequently makes you a great potential cybercrime victim?
Knowing is winning half the battle. Knowing your dominant emotional type will tell you the kind of phishing attacks you will most probably fall prey to. However, if you figure out this piece of the puzzle it will most likely help you to consciously not pay heed to these kinds of email/texts/ calls.
Unfortunately, human behaviour is not an exact science. It is entirely possible that you may think that you belong to a certain emotional type, but your reaction to phishing email (obviously when you do not know that they are phishing emails!)may surprise you. However, it doesn’t harm to know oneself a bit better if it can save you from some unpleasantness in return.