Social engineering: psychological attacks

The double threat: how are social engineering cyberattacks psychological attacks?

For several years, experts in cybersecurity and cyber crisis management have understood that the impacts of a cyberattack are no longer only economic, technical or reputational, but also psychological.

Today, most cyberattacks are the result of human breaches. In fact, according to a 2018 study of its clients by Deloitte, “63% of security incidents come from active employees in the workforce”, whether intentional or not.

With the increasing development of innovative technological solutions to detect and repel any kind of intrusion, cyberattackers have understood that it is much easier to exploit human vulnerabilities than technological vulnerabilities, making the victims their unwitting accomplices.

While attacks of a technological nature can be countered by protection solutions, social engineering attacks are much more difficult to prevent.

The human brain is an organ whose functions are not fully known and which has a very singular structure. It is composed of two distinct parts:

• An instinctive part, which allows us to make quick decisions;
• A more thoughtful part, which allows us to make rational and logical decisions.

Despite their different roles, these two parts complement each other and make it possible to make decisions and take action in everyday life.

However, it’s important to note that our gut thinking can sometimes get in the way, especially when it comes to cybersecurity. When the brain becomes the target and attackers exploit its vulnerabilities, it is called “cognitive biases.” These famous cognitive biases constitute a deviation of thought, thus abstaining from any logic or rationality.

Savvy attackers know that social engineering techniques have more impact when they appeal to human emotions. Cybercriminals frequently use these social engineering tactics in order to obtain various personal information, such as login credentials, credit card numbers, bank account numbers, or social security numbers.

This first step is often the first step towards a larger cyberattack. As an example, a cybercriminal may manipulate a victim into disclosing their username and password, and then exploit that information to introduce ransomware into the victim’s employer’s network.

In the case of a phishing campaign, the victim receives fake, legitimate-looking emails asking them to enter passwords, logins, credit card numbers, etc. The trapped person may feel some shame and guilt. It perceives itself as responsible for the situation in which the company finds itself.

This entry point is based on manipulation by the victim who is tricked into clicking on a link to a malicious site. On a psychological and emotional level, self-image and self-esteem are strongly impacted. Depending on the personality, the reactions can be completely different: fear, shame, embarrassment, anger, etc.

The Way to Prevent Social Engineering: Cognitive Cybersecurity

The origin of social engineering cyberattacks is neurocognitive in nature. The solution to effectively combat this phenomenon lies in understanding and analyzing the cognitive biases used by attackers to psychologically trap their victims. We are talking about cognitive cybersecurity or neuro-cybersecurity.

In order to build a suitable and resilient defense against social engineering cyberattacks, it is necessary to have a deeper understanding of the cognitive vulnerabilities exploited by attackers.

What are the cognitive biases commonly used by cyberattackers?

• The temptation of greed : In a phishing email, users can be tricked into clicking on any link that supposedly allows them to make money. Those who click, get trapped by their own desires and emotions related to the temptation to make easy money. In fact, many studies have shown that gain-seeking primarily activates two key brain regions: the cerebral amygdala, which is the brain’s emotional center, and the reward circuit, including the nucleus accumbens, which is responsible for the sensation of pleasure.

• Curiosity and indiscretion : An employee receives an email claiming to be an important notification about an internal investigation underway within the company. The message states that it is necessary to click on a link to access the details of the investigation and to know the steps to be taken to cooperate. Intrigued and concerned about his involvement in such an investigation, the employee gives in to curiosity and clicks on the link. Curiosity is a complex attitude that is information-oriented: curious individuals seek to discover what they do not yet know (which is logical). According to George Loewenstein, curiosity emerges when we become aware of an “absence” or a “void” in our knowledge. This gap creates a sense of deficiency that motivates people to fill their knowledge gaps.
• Stress : An employee receives an urgent email purportedly from the CEO, urging him to make an immediate financial transaction due to an impending crisis. Under the effect of stress, the employee bypasses the usual verification procedures and transfers funds to an account specified by the attacker. This is what is known as the attentional tunnel effect, where attention is hyper-focused on the text of the email but which leads to ignoring a suspicious address or missing peripheral alerts.

The cognitive causality of attacks is no longer as ignored as it used to be, however there is still a lot of analytical work to be done on what makes an individual psychologically vulnerable to social engineering cyberattacks.

The “naivety” of some employees or possibly their “corruption” or deliberate intention to harm their company are not sufficient explanations to dissect the mechanisms used by the attackers.

It is essential to understand the “psychological” dimension of the cognitive traps that these hackers set up, in order to accurately diagnose and improve prevention. This understanding of the psychological elements is crucial, as it helps to understand why an employee chooses or does not choose to click on a malicious email.

What you need to remember

As human beings, we are confronted with our own psychological weaknesses and are above all victims of our psychological and mental state before and during the attack: high level of stress, lowering of the threshold of vigilance, etc.

Some cyber crisis can have a lasting impact on employees and organizations and require professional support to understand, decipher and accept what has happened. Beyond the people deceived by the attackers, this type of crisis can put teams under strain and make it difficult to resume activity.

Even if a cyberattack is no longer just the concern of the CISO and the CIO, technical teams are on the front lines of this type of incident and are confronted with operational issues that impact the business teams. In cyber crisis management, there are many stages where human intervention is essential. Therefore, it is crucial to prepare managers and employees optimally for this kind of situation.

This preparation includes training and cyber crisis management exercises, which allow employees to enter into total immersion and to deal with the direct and indirect impacts of a cyber crisis. Beyond the existence of dedicated methodologies and tools, the success of crisis management depends above all on the ability of teams to organize themselves and act in a destructured environment.

Alcyconie works hand in hand with experts in social and behavioral sciences to offer dedicated training and interventions: decision-making in uncertainty, stress management, deciphering the individual and collective cognitive biases at work in a crisis situation.

In order to be ready for the big day, Alcyconie offers cyber crisis management training and exercises that take into account the human dimension, which is essential both from the point of view of the interaction between decision-makers and in the internal and external communication of the crisis.