View all articles

Raising employee awareness around phishing – it’s all about spotting typos and off-kilter formatting, right?

Yes, an eagle eye is a great skill to have when it comes to warding off cyber-attacks. But it’s nowhere near enough when it comes to today’s threat actors, who are now using a subtle, sophisticated repertoire of psychological and emotional tools in pursuit of that fateful click.  

Some of these tools are so insidious they’ll get the most cyber-aware employee to let their guard down. They get inside your head and push your buttons – that’s why they work. To beat hackers at this treacherous game, we stay ahead of the psychological and behavioral insights they exploit by studying, analyzing and mapping them.  

Building on the latest academic research, we have created a concise model of the major emotional triggers hackers use to manipulate employees – potentially, your employees. Take a look at the wheel below – you’ll see three major hotspots: Scare, Gain and Believability. 

Six Factors of Social Engineering

Leveraging the fear factor 

In the ‘Scare’ zone, you’ll find authority and urgency. From our research and live project work, we have seen countless phishing campaigns which appear to come from a senior colleague. They are hugely effective. It makes sense – we learn from childhood to trust authority figures and respond to their requests. It’s no surprise this trigger is being used so effectively in data-theft attacks: our data will be in safe hands, right?  

Creating a sense of urgency is another insidious way to create anxiety and dampen down people’s rational, critical reflexes. 

The tricks we trust in 

Believability is an area in which today’s threat actors excel. An email which closely resembles one you would expect to receive will be an easy win for a hacker. And it’s hard to imagine the level of sophistication that goes into creating these deceptions. Few employees have the advanced awareness needed to think twice before clicking.  

Distraction is another trick hackers have up their sleeves. If you are given an action to complete, such as ‘please print the attached PDF’ many people will zoom in on that directive and switch off from other factors that may get alarm bells ringing. Directives and requests are powerful triggers in another way, too: they lure us into a feeling of reciprocity with the sender of the email which again bypasses our rational brains.  

The power of reward

Moving around the wheel to the ‘Gain’ zone, here we can see primal behavioral triggers in play: ones common to every human being on the planet. Offer a reward – whether it be a freebie, discount or piece of information – and many of us have our finger on the mouse, ready to click, before we’ve drawn breath.  

It’s vitally important to factor in these powerful human motivations to any cyber-resilience drive that you’re carrying out in your business. Phishing campaigns push our buttons in the most primal, unconscious ways. Cyber-safe businesses need to stay ahead of the game by upping their own knowledge of behavioral and psychological triggers.  

The Phishd team at MWR put this emotional, unconscious context at the heart of our understanding of phishing. We apply the latest research to live projects to make sure no hacker trick goes under the radar. Hackers thrive on understanding human psychology. To thwart their efforts, we need to match and surpass their understanding of what makes people tick.  

We build these factors into all our security assessments and training programs – it’s the only way to give your business the most robust protection possible from today’s sophisticated threat actors. Contact us to find out more and read our in-house specialist Adam Sheehan’s whitepaper on this crucial topic.