Don’t be so emotional. (It hurts security awareness.)

Part 1 in a weekly blog series, “How Attackers Target Trust,” running during October, National Cyber Security Awareness Month and European Cyber Security Month. 

While modern technology and pervasive media can make all things appear new, they really aren’t. As we continue the battle against advanced persistent threats, malware and fraud, it’s important to remember that confidence men and women have been at this game for a long time.

And all along, their real target has been user trust.

To take full advantage of the attention we get during Cyber Security Awareness Month, we need to talk to users about abuse of trust—and how they can avoid it. Let’s start with the role of emotions. I’m confident it’s a problem…

Playing on emotion: the con man’s favorite tactic.  

The trust we place in emotions helps

drive security lapses. Modern techniques, phishing being the most pervasive, take advantage of us in the simplest way possible and essentially with our consent. As any good confidence man can tell you, the best stings are those that the mark never even notices.  Very often, they manipulate emotions.

Simulation Response Percentages – PhishMe® Resiliency Report

As we can see from our simulation data above (2016 – 2017), phishing simulations with curiosity, fear and urgency as emotional motivators all average above a 13% response rate. While those numbers may not seem high, consider what a con can do with targets they know how to get a response from.

How do we fight this?

The first step is recognition that we really can’t always trust what we see and we can’t always trust our emotional instincts. In today’s world, we no longer really use our instincts for survival, but we still have those same reactions just prior to triggering rational thoughts.

The key is to recognize our emotional states and question them directly. We need to step back, especially when we are about to act on emotions rather than rational thought. Tip: learn to let intense emotions become a trigger to verify rather than respond immediately.

The next time you feel that emotional pull, remember the famous Russian proverb “Доверяй, но проверяй.” That is, “trust but verify.”

In phishing terms, this is accomplished by asking a few simple questions…

  1. Do you know who sent you this email?
  2. Are you sure it’s from them? (check the sending address)
  3. Do they normally send you attachments?
  4. Where is that link really taking you?

If you still aren’t sure, then go ‘old school’ – call the sender to verify. Trust me, I’m sure they’d be happy to hear from you.

In our next post on trust, we’ll be talking about processes and the faith we put in them to keep us safe when, in fact, they may be the real cause of our problems.

Learn other ways PhishMe can help to raise your security awareness.

The Phishing Kill Chain – Triage and Mitigation
The Phishing Kill Chain – Reporting

Leave a Reply