What’s The Role of Gaslighting in The Cyber Security Context of Social Engineering?
By Anna Drescher, Freelance Writer and Mental Health Specialist
A few years ago, I received an email from Apple stating that someone had made a purchase from my account. They urged me to update my details immediately as they were concerned it could be a security breach. Panicked, I clicked on the link and typed in all my personal and banking details. Not long after, my bank contacted me about an unusual transaction – someone had purchased a handbag worth £3000 using my account. I got my money back, but my reality had been stirred up and I felt violated, ashamed, and stupid.
What does this have to do with gaslighting? Let’s explore.
Gaslighting is a term normally used in the context of relationships, but social engineering relies on some of the same psychological tricks. They are both forms of psychological manipulation and exploit human suggestibility, empathy, and vulnerability and involve the elements of reality distortion and power imbalance. The outcomes for the victims are also similar: self-doubt, shame, and losing their grip on reality.
What is Gaslighting?
As 2022’s most popular word, you’ve probably heard of gaslighting. The term originates from the 1938 play Gas Light (which was turned into a movie of the same name in 1944), in which a husband manipulates his wife into believing she is losing her mind.
One of his tactics was to make the lights in the house flicker by using the gas lights in the attic. Whenever she asked him “Why are the lights flickering?”, he said (something along the lines of) “It’s all in your head, darling. We should speak to the doctor about increasing your meds, you sound a bit cuckoo”. As this goes on, she eventually starts to question her sanity. The play doesn’t use the term gaslighting, but it demonstrates the type of manipulative behavior that now describes gaslighting.
While social engineering has elements of gaslighting, they’re not entirely the same thing.
Gaslighting in the context of relationships happens repeatedly and over time, slowly dismantling the victim’s sense of reality and self. Social engineering in cyber security is generally a one-off and doesn’t usually involve the key element of attacking the victim’s credibility (“you’re so paranoid/ jealous/ crazy”) that makes gaslighting so effective.
How Gaslighting Increases the Effectiveness of Cybercrime
Social engineering in the context of cyber security manipulates people into performing certain actions, like giving up access, credentials, bank details, or other sensitive information.
It’s effective because attackers build rapport, distort reality, exploit the simulated power imbalance, and create a strong emotional reaction in their victims – some of the same tactics used in gaslighting.
Rapport Building
Gaslighting only works when there is some sort of relationship and trust. Likewise, scammers know that a person is more likely to engage with them if they’ve built rapport.
A scammer might call you on the phone, telling you “Someone has access to your bank accounts through PayPal, and they can take all your money. I’m calling to help you.” They seem calm and professional and engage in a friendly chat with you and, believing they are calling to help, you let your guard down and do what they ask.
Doing this is not gaslighting, it’s lying. But creating a false reality in which the attacker or scammer is a trustworthy person is similar to what a gaslighter would do when they’re establishing a relationship and rapport with their victim – because it makes them easier to manipulate.
Reality Distortion
In relationship gaslighting, the perpetrator paints an alternate reality and tries to persuade their victim to buy into it. For example, a cheating husband tells his wife, “I never cheated on you, you’re just paranoid!” even if she has evidence of his transgression. If he’s convincing enough, she will question herself and her perception.
The attacker in cybercrime does something similar: they try to persuade their victim of the false reality that they are Apple, Amazon, the IRS, or similar. That means, the attacker distorts their victim’s reality and instills doubt in their mind by claiming they are someone they are not.
Let’s say you get a call from the IRS, and they tell you that if you don’t pay a certain amount immediately, you will be fined or even arrested. You may know that you’ve paid all your taxes, but the call or email creates doubt in your mind like “Maybe I did forget”.
By skillfully distorting reality, they make you doubt your perception and memory, thereby putting themselves in a position of power.
Power Imbalance and Vulnerability
Social engineering, gaslighting, and any other form of psychological manipulation work best when there is a perceived power imbalance.
Gaslighting is most effective in relationships where there is a power imbalance, such as between a health professional and their patient, or an abusive husband and his wife (or vice versa). Therefore, gaslighters tend to seek victims who are in some way vulnerable (e.g., a trauma survivor, someone with low self-esteem, or a patient) because the power dynamic is skewed.
In a similar vein, you’re more likely to fall for a scam when you believe you are being contacted by an authority. Most of us have been raised to respect and obey authority, so when the “bank” calls saying your account will be closed unless you update your bank details immediately, you’ll probably hand them over.
That’s also why scammers often target vulnerable people, such as the elderly or recently bereaved. Likewise, those in a financially vulnerable position may be more willing to believe they will win a million dollars if they provide their bank details. Romance scammers tend to prey on the lonely, and scammers targeting banks or corporations often find the “weakest link” (e.g., a person who fears they’ll lose their job if they don’t act immediately).
Fear and Stress
When there is a power imbalance, it can cause fear and stress. Fear causes the critical thinking part of our brain to shut down and the fear center to take over. That means, when we’re scared, we’re not thinking rationally and are driven by the very powerful emotion of fear.
Gaslighting works best when your critical thinking capacity is switched off, like when you’re scared of your abusive partner leaving or harming you.
Alone just dealing with an authority, like a government agency or bank, can make you feel anxious. But when it comes to the safety of your money, privacy, or relatives (e.g., the grandparent scam) that anxiety triples.
If someone contacts you saying you will go to prison if you don’t pay immediately or claims to be your grandchild in dire need of help, you will experience fear and panic. Consequently, you can’t think rationally and may do whatever you’re told.
The Effects of Gaslighting and Being Scammed
Victims of cybercrime often think, “How could I have been so stupid” or “There must be something wrong with me”. They feel violated, dehumanized, and lose trust in their perception and sense of reality, and the shame and guilt they experience often mean they don’t tell anyone or seek help.
Gaslighting victims have a similar experience once the fog has been lifted. That’s because relationship gaslighting is like a scam and has devastating consequences for the victim.
People and businesses have lost millions of dollars (if not more) to cybercrime, and most of the time, the criminals get away with it. So how do you protect yourself?
How to Protect Yourself from Gaslighting and Social Engineering
The best way to protect yourself from gaslighting is to know that it exists and how it works, and you must stand firm in what you know and believe. The same goes for protecting yourself from cybercrime and scammers.
Chris Hednagy, an expert on social engineering and cyber security, gave several tips on how to protect yourself from scammers:
- Educate yourself on cybercrime and its tactics.
- If someone you don’t know elicits a strong emotional response within you (like fear or a “gut feeling”), pause and ask yourself: am I being manipulated?
- Think critically: has this organization/ business/ agency ever contacted you to ask for personal information? (Most of them don’t)
- Create a password with your relatives so when someone calls saying they’re your relative in an emergency, make them give you the password first.
- If you did fall for it, don’t let the shame and embarrassment stop you from seeking help. It can happen to anyone!
About the Author
Anna Drescher is a freelance writer and editor specializing in mental health and psychology. Her work includes collaborating with organizations and apps to advise on and create content related to psychology, mental health, meditation, and hypnosis. She is an author at Simply Psychology and has published articles with several mental health-related publications. For 10 years, Anna has worked in the mental health sector and supported people who struggle with their mental health. Her roles have included private practice, working in the UK’s National Health Service, therapeutic work in in-patient and community care, in a prison service for men with personality disorder, and managing a co-production project at the UK’s leading mental health charity. Anna has a bachelor’s degree in Psychology and a master’s degree in mental health/ psychotherapy, and is also a qualified solution-focused hypnotherapist and yoga teacher. Anna can be reached via LinkedIn (www.linkedin.com/in/freelancewriterannadrescher) or her website www.mentalhealth-writing.com.