The Psychology Behind Spear Phishing Scams
By Dr. Yvonne Bernard, CTO, Hornetsecurity
Criminals are increasingly using fake emails to exploit their victims for financial gain and are using spear phishing takes the well-known social engineering scam to a new dimension. Employees training needs to encompass both fast and slow thinking systems to combat this cyber-attack.
Social engineering has been practiced for many decades, if not centuries! At its core, it’s always the same thing. Fraudsters try to worm their way into gaining the trust of their victims to get them to hand over money or other assets. A prominent example is the con artist Frank Abagnale, whose story was made into the 2002 crime comedy “Catch Me If You Can.” To obtain cash, he disguises himself as a security guard and sets himself up at the airport next to a locking system where funds from the ticket counter are deposited. When Abagnale pins the note “Out of order – please leave with security guard,” his uniform seems so confidence-inspiring that people press the bills into his hand by the dozen.
First: Indiscriminate shipping to many recipients
With the advent of the Internet, new social engineering methods were established, with fraudsters making contact via fake emails. In classic phishing, large volumes of electronic messages are sent indiscriminately to countless recipients. The aim of the senders is to trick the addressees into disclosing confidential information, opening harmful links and attachments, or making payments to third-party accounts. One example involves the deceptively genuine-looking PayPal emails that contain a link to an imitation website, asking recipients to verify or update their login information there. If they comply with this request, their data ends up directly in the hands of the scammers. Phishing emails can be produced very easily and without much effort. Even if only a few recipients bite, the effort pays off for the attackers.
Now: Threats tailored to specifically to the intended victim
Cybercriminals are more sophisticated when it comes to spear phishing, a form of phishing that specifically targets certain users. Their main target group is company employees, since that is where most of the money is to be made.
First, the fraudsters take a lot of time to scour social media and other Internet sources for information about their potential victims. This data can then be used to create emails that are precisely tailored to the recipient. Disguised as superiors, colleagues, or business partners, the attackers try to trick their victims with seemingly plausible prompts or cleverly designed lures.
In addition to feigning insider knowledge, hackers rely on psychological tricks to trick their victims. They skillfully target the recipients’ emotions to get them to do what is asked of them without thinking about it. Here is a small selection of the most important psychological influencing factors:
- Deference to authority: For example, the scammers forge an email in the name of a board member. In it, the employee is asked to make an urgent payment to a supplier. Large sums of money can end up in foreign accounts in this way. The chances of recovering these sums are usually slim.
- Willingness to help: The alleged acquaintance of a colleague contacts the employee about a problem. The email contains a file attachment, which the employee opens immediately – maybe the employee had the information needed and can help. The file contains malware that infects the computer and the system unnoticed.
- Time pressure: In a deadline-critical project, the scammers pretend to be the department head. They demand that the employee send security-relevant information and urges the employee to hurry. Since there is no time for a more detailed check, the recipient reveals the requested information in good faith.
- Curiosity: In the name of the management, the hackers inform the recipient about important structural and personnel changes in the administration. The mail contains a link that supposedly leads to an updated organizational chart with the new distribution of responsibilities. If the employee clicks on the link, he or she plays into the scammers’ hands.
- Fear: The alleged superior asks about an invoice for a service that was not ordered. The employee is afraid of being suspected of embezzlement and therefore hastily clicks on the link to the invoice – and thereby opens the door to hackers. Not infrequently, the loophole is also used as an opportunity to penetrate the entire corporate network.
Worldwide fraud gangs raking in millions
Spear phishing is one of the most dangerous and most common cyber-attack method today. These attacks are increasingly being carried out by international fraud gangs and can cost companies a fortune. The best-known examples include the German automotive supplier Leoni, which lost around 40 million euros through CEO fraud in 2016, while the Austrian-Chinese aerospace supplier FACC lost 50 million euros in this way.
Alarmed by recurrent stories of this sort in the media, many companies naturally want to make their employees aware of the dangers posed by spear phishing. One common method they resort to is security awareness training, which focuses on classroom training, e-learning and webinars. These provide participants with theoretical knowledge of how spear phishing attacks work, how to recognize forged mails and how to behave in the event of an attack. This is certainly important to know, but it is not enough to effectively arm users against attackers’ psychological tricks.
Two highly different systems of thought
The reason for this lies in the two different human thought systems, as described by psychologist and Nobel Prize winner Daniel Kahnemann in his bestseller “Thinking, Fast and Slow”. According to this, system 1 – fast thinking – is guided by subjective feelings and empirical values and tends to make impulsive decisions “based on gut instinct”. System 2, on the other hand – slow thinking – takes objective data into account and proceeds systematically, rationally and logically when making decisions.
By imparting objective knowledge about spear phishing methods, conventional security trainings target the second – slow – thinking system. In doing so, they neglect the first thinking system, which is responsible for spontaneous clicks on incoming emails. Therefore, training urgently needs to be supplemented with learning content that promotes employees’ fast thinking and intuitive decisions.
Simulated attacks strengthen awareness
This can be achieved with spear phishing simulations. These use real company and employee information to fake attacks. If an employee is taken in by a fraudulent email, he or she is immediately taken to an explanation page. Here, they receive information about the features that would have enabled them to recognize the mail as fake on closer inspection: from misspellings in the sender address to the use of subdomains and suspicious-looking links.
Phishing simulations are a proven method to sustainably increase employees’ security awareness. This is because they take advantage of the “teachable moment,” when a user is most receptive to new lessons. Since the employee’s error is immediately made clear to him or her, they will be more careful with incoming emails in the future. To keep the employee on guard, it is advisable to repeat spear phishing simulations regularly and adapt them to the attackers’ ever-changing methods. The goal here must not be to monitor or trick employees – instead, the focus must be on training. For this to succeed, the use of security awareness training must be communicated correctly.
Humans remain the weakest link
Effective security awareness training should combine e-learning with realistic phishing simulations. It is important that the training is tailored to the personal learning needs of each individual employee. It should also allow for metrics-based measurement of their learning progress.
Although IT departments can already intercept many spear phishing emails using the right email security solutions, humans still remain the biggest vulnerability. Companies should make this clear to their employees not as something demeaning, but to motivate them to participate in security awareness training. As well as relying on the IT security technology used by their employers, users must understand that they too have an essential part to play: They are the most important lever for successful defense, through their own self-efficacy. Only those organizations that can convince their employees of this will remain one step ahead of spear phishing attackers in the future.
About the Author
Dr Yvonne Bernard is CTO at Hornetsecurity, the global Cloud Security, Compliance and Backup Pioneer founded in Hannover, Germany. With a Ph.D. in Computer Science, she has a technical background and is responsible for strategic and technical development in the areas of Product Management, Software Development, Innovation & Research, Security Lab and Cloud Infrastructure. Yvonne can be reached online at https://www.linkedin.com/in/dr-yvonne-bernard-b3388a25/ and at our company website http://www.hornetsecurity.com/