I haven’t often mentioned this in the newsletter but I’m fascinated with cybersecurity.
For over 5 years, I’ve been working in marketing for companies who build information security and privacy products and I plunged into it.
One of the reasons I’m so hungry to learn more about cybersecurity is that psychology lies right at the heart of it. This has to do with how I came up with the idea for today’s newsletter.
In the past few weeks, I’ve been listening to Hacking Humans, one of the best podcasts in the industry.
In each episode, the hosts examine attacks aimed at manipulating people into giving cybercriminals data, money or access to information.
These attacks fall into the social engineering category. If you’re curious what it’s all about, this is a highly instructional read.
Social Engineering is the term for using human deception as means for information theft.
Social Engineering Framework: Understanding the Deception Approach to Human Element of Security
So as I listened to their conversations, I started thinking about triggers and how they influence our decision-making process.
Before I jump into the list I’ve made, let’s make sure we agree on what a trigger is:
A trigger is a stimulus in our environment that activates a mechanism or sets in motion a course of events.
I believe it’s important to pay attention to what stimulates us to make decisions because these triggers influence what’s top of mind. Attentional bias can play be a strong influence on our choices if we can’t identify and curb it.
What’s more, my experience in cybersecurity shows me that triggers can also impact more consequential choices.
Here are a few practical examples.
Have you ever thought about how falling in love and curiosity are connected?
When we’re in a new relationship, curiosity becomes a strong trigger. Love (or its pretense) makes us eager to experience new things with our partner, to build shared experiences.
When we’re curious, some of us take on more risks and make choices quicker than usual.
This leads me to an important reminder: decisions are not good or bad per se. They’re defined by the outcome.
For example, if curiosity triggers us to make a decision, it may turn out well, getting us out of our comfort zone and trying new experiences.
Contrarily, it can get us in trouble, as our eagerness to satisfy our curiosity pushes us into dangerous situations. This is how baiting works in online scams.
“Baiting is like the real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, attackers leave malware-infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.), give them legitimate and curiosity-piquing labels, and waits for victims to act.
For example, an attacker may create a disk featuring a corporate logo, available from the target’s website, and label it “Executive Salary Summary Q2 2012”. The attacker then leaves the disk on the floor of an elevator or somewhere in the lobby of the target company. An unknowing employee may find it and insert the disk into a computer to satisfy their curiosity, or a good Samaritan may find it and return it to the company. In any case, just inserting the disk into a computer installs malware, giving attackers access to the victim’s PC and, perhaps, the target company’s internal computer network.” Source.
A new job, a new country, a new family member – the novelty factor exerts a big influence on our choices as well.
As we’re making an effort to adapt to a new situation, be it good or bad, our brain may forgo a step or two in our usual decision-making process so we can get to a state of comfort quicker.
I’m no behavioral scientist, but I believe that’s why sometimes people act illogically when they face unfamiliar conditions.
This one hits close to home for almost everyone.
When we get sick or someone close to us falls ill, we’re confronted with our own mortality. The abrupt realization that our lives are finite triggers some people to fundamentally change their perspective and habits.
That’s why we see people decide to completely change the way they eat or how much they exercise after finding out they’re sick.
Now if you these triggers sound familiar it’s because they’re frequently used in sales.
When exploited for malicious intent, the stimuli I just mentioned and the ones I’m about to list turn into harmful deception tactics.
In cybersecurity, psychological manipulation plays a huge role in cyber attacks. Social engineering tactics often fixate on shortcircuiting your usual decision-making process so the victim can act in the attacker’s interest.
One of the most used triggers in information security, for both good and mischievous objectives, is Fear, Uncertainty, and Doubt.
Even though negative reinforcement has been proven to be less effective than positive reinforcement, educational articles in information security still frequently use FUD to determine people to act and improve their security habits.
Because the human mind doesn’t cope well with either of these states, it’s natural for us to try to move away from fear, reduce uncertainty, and eliminate doubt. That involves making a decision to get us out of this mental state.
Online or offline, malicious actors employ FUD to make their victims feel hopeless so that they make the decision they’re pushed towards.
If it seems like it can’t possibly happen to people who use logic, here’s an example that shows it can and how it works.
The kidnapping scam is a powerful example of FUD at work.
“Here’s how the scam, for that is what it is, works. You get a phone call from an unknown number informing you that a family member or loved one is being held hostage, and demanding a ransom be paid within a tight time limit or they will be physically harmed. More often than not you can hear someone in the background screaming for help.
Now you might think that this wouldn’t fool you, even for a moment. But what if that caller knew the name of the person they claim to have taken, inform you where they kidnapped them from (and that is outside their place of work, school or part of their usual routine) and maybe even throw in a description of what they are wearing? The last one might be gambling on you not remembering exactly what clothes they wore today, but if they have a recent photo or know the school uniform of a child then it’s this kind of details that can make all the difference.
As Michael Levin says “the criminals in this scam usually have done their homework including researching the victims’ social media sites and even hacking into the victim’s phone or computer.” Source.
Case in point:
“A few Sunday’s ago, I received the most frightening phone call I have ever gotten as a parent. I answered to a young person’s voice screaming for mom to help. Then an angry man claiming to be from a Mexican mafia told me my child was in the wrong place at the wrong time, saw something he shouldn’t have and if I didn’t bring all the money from my bank account to a designated meeting place they would slash his neck. This man knew my name, my phone number, the city I lived in and my child’s name.
I was not aware of virtual kidnapping scams and as the man continued to raise his voice with escalating threats, I paced my house trying to get a handle on exactly what was happening. I continued to press him to get answers or talk to the child. After about 20 minutes, the caller abruptly hung up. I immediately called both of my children. One answered the phone, the other did not. I panicked again and called the police department. The operator calmly informed me that I had been scammed. I was. My other child called me back a few minutes later.” Source.
Triggers work in unexpected ways and their influence is often so subtle we don’t even notice it.
Using distraction and false pretenses are two tactics often used by scammers and thieves to trick their victims both online and offline.
Here are two examples ethical hackers use when doing penetration testing which means simulating attacks against companies to uncover their weaknesses and help them strengthen their defenses.
Tailgating: “hitching” along with an employee through a secured entry gate to get physical access to a secured location (such as a server room).
Pretexting: obtaining information under false pretenses (the pretext). For example, calling an employee and pretending you are a colleague. Source.
“So sometimes I kind of just sort of would see what the situation looked like. If people were busy doing something else, then I’ll kind of ask them questions to see – you know, if they don’t want to be bothered, then they’ll just let you in. Sometimes, I’ll pick up keys and say, I’m here returning something. They’ll let you in the building.” Source.
These work very often because many people are not trained to recognize the potential malicious intent in these behaviors.
Appeal to ego
Another strong trigger that can yield both positive and negative results is appealing to someone’s ego.
When we feel special (smart, needed, etc.), we’re more inclined to act against our better judgement which is what we usually do.
This can work in two ways:
“[…] the “victim” is manipulated so that they ask the social engineer for help. The social engineer creates a problem for the “victim” and then makes himself known as an “expert” who can solve the problem. The social engineer then waits for the “victim” to make a request. Trust is more likely because the “victim” takes the initiative.” Source.
“And sometimes, I’ll – some other tactics I would use – grief. You sort of play on people’s – their kindness. You know, there is a lot of that still out there. But, yeah, I’ll come in and like, hey, you know, I just lost someone in the family; I’m just trying to get some work done – or what have you. And then, you know, they really don’t want to bother you. They want to let you mourn – so a lot of different tactics I would go with back-and-forth, just depending on the situation.” Hacking Humans – Playing on kindness
I’ve written about ego a couple of times since I started this newsletter (here’s the most recent one), as this is one of the most important topics related to decision-making. Acknowledging how powerful this trigger can be prompt a big boost in self-awareness. I’ve seen it both in myself and the people around me.
This leads me to my next point.
Lack of self-awareness means others can trigger your emotional thinking more easily and determine you to bypass the logical steps you apply to make decisions.
Malicious actors often research their victims thoroughly, making personal connections (you both like the same Netflix show) and appealing to a relationship (help a colleague in need) to reach their objective.
Here’s how it works:
“[…] for example, ask someone to print a file from a USB memory stick that is infected with malware that infects the PC of the victim as soon as the file on the stick is accessed, or borrow an access badge because “you left yours on your desk”. A request made by a man (the tester) to a woman (the victim) and vice versa is usually fulfilled easier than when the gender is the same.” Source.
Scams like these go well beyond penetration testing and cyber attacks:
“A 17-year-old male from Oklahoma was fired from his job at Walmart for stealing money. Rather than considering himself lucky that he got away without being charged, he put his uniform back on and stole $30,000 from three other Walmarts by pretending to be a general manager from another store.
As he was in uniform and was wearing the company’s name tag, no one doubted him. He claimed he was carrying out an inventory of the stores before an inspection after the holidays, but surveillance cameras caught footage of his real purpose: according to a police report, when the boy was alone in the cash room, he took several bundles of banknotes and stuffed them into his pockets.” Source.
I’m not telling you this to become paranoid (although it doesn’t hurt to be a tad suspicious). I just wanted to emphasize how strongly these triggers can affect our decision-making.
If we teach ourselves to question our behaviors and reactions, we benefit in more ways than one.
First, we get to know ourselves better which leads to getting more comfortable with our own identity and traits.
Second, we become more impervious to triggers used with malicious intent and more inclined to make rational calculated decisions.