Half of UK SMEs have suffered a cyberattack in the past year, with 54% of those hit suffering financial losses as a result. In the majority of these cases, they were targeted with either ransomware or phishing, a frequently used vehicle for delivering malware.
We’ve all heard about these online scams; badly written emails letting us know our long-lost aunt has left us £1 million in her will and all we have to do is click on the link to accept the money. Many of us think it’s laughable – how could someone fall for something so simple?
How do cybercriminals really get away with phishing, BEC fraud, or other seemingly simple online scams? Unfortunately, the reality is that so many people fall for scams because they aren’t always as easy to identify as we may believe. Many cybercriminals use a variety of tactics to play into our psychology and habits to easily deceive even the most security aware employee into making a mistake. The success of a scam is also often dependent on hitting the right target at the right time, and the fact that phishing emails and fake websites are becoming increasingly convincing doesn’t help.
How does the internet enable cybercrime?
What many people do not realize is the extent to which the internet actually encourages cybercrime. While the World Wide Web has created significant opportunities and has allowed people to connect all around the world, it also facilitates illicit, anonymous online activity.
The internet allows people to conduct themselves with more confidence, because they can hide behind a curtain of anonymity. Equally, cybercriminals use this to their advantage to create various personas and fool their victims. They might present themselves as an authority figure or a trustworthy person, using the internet as a safety blanket to hide under. The lack of physical presence and contact also helps attackers feel detached from their crimes and victims, which often means they are less afraid of being caught and in return, bolder with their actions. Add to this the lack of general regulations and the fact that the internet broadens a criminal’s pool of victims, and we have ourselves a perfect storm.
How does a cybercriminal exploit us?
What’s more, threat actors are highly aware of our all too human foibles which they are quick to exploit in their deceptive schemes. One way is by creating a sense of urgency. This is seen in phishing attacks, when threat actors create a fake ‘emergency’ that requires fast action, like a friend or family member in need of money for a medical bill or other financial support. It could also look like a chance to win or already having won prizes, usually in the form of large sums of money. The time pressure pushes victims into a sense of panic where they lose their sense of logic, and ultimately, click on a malicious link or enter their details into a bogus website.
Additionally, the online personas that cybercriminals create can often appear hyper personal, leading victims to idealize the stranger behind an avatar. This is exacerbated by the plethora of information found online (for example, on social media platforms), that cybercriminals can use to create more targeted attacks. Instant messaging, for example, allows cyber criminals to exploit the affect heuristic cognitive bias, which is the human tendency to be overly influenced by emotion. They know exactly how to manipulate their victims into developing a close relationship with them quite quickly and falsely gain their trust, leading victims to disclose personal or sensitive information without too much prompting. Similarly, they can play on a victim’s tendency to respect authority, or authority bias, by using familiar names and logos to make their emails appear more legitimate. Consequently, victims tend to be less critical and act on impulse. An example of this was seen in the impersonation of the World Health Organization (WHO) over the pandemic. This scam became so widespread, the NCSC had to issue a warning, alerting the public to be cautious.
Other cognitive biases that can affect an individual’s reaction to a scam include decision fatigue and choice overload (whereby an individual is overwhelmed with decisions, information or communications), as well as anchoring and herd mentality. Anchoring can lead employees to focus solely on new information being shared, such as the newest threats to look out for, leading them to overlook other signs or dangers. Consequently, they may not think about falling victim to what may appear as a simple scam. With herd mentality the danger is that employees will follow the crowd with regards to lackluster security practices. Sharing passwords or valuable information, for instance, may not seem as dangerous if another employee has done it and not had a bad experience.
How can psychology help improve cybersecurity?
All hope is not lost, however. While cybercriminals may play into our psychology to carry out their schemes, we too can take the time to understand our own psychological tendencies to better protect ourselves.
By understanding how deception influences human decision-making, SMEs can create better protective measures and response plans. Regular security awareness training on spotting the tell-tale signs of a phishing or BEC attack is a good place to start. In addition, leaders should be using self and response efficacy to encourage their employees to be more security conscious. Self efficacy refers to an individual's ability to respond to threats. Using positive reinforcement and encouragement, leaders can boost their employees’ confidence in how they respond to potential scams. One way they can do this is by offering public recognition for successful work. Response efficacy relates to the training and controls used to respond to threats within the organization. These must be easy-to-use, high quality and timely, in order to improve user experience.
Additionally, it’s vital for SMEs to have an understanding of the fundamentals of good cybersecurity. One way to do so is by getting certified in Cyber Essentials, which is a UK government scheme that covers the basics of cyber hygiene, and can help protect businesses against 98.5% of the most common cyber threats – particularly those that aim to deceive or manipulate their targets.
In a physical world, interactions include cues, expressions and movements that can help others understand potentially deceptive intentions. In the cyber world, this isn’t the case, which is why it is so important for individuals and organizations to understand what digital cues to look out for that could point to illicit behavior, a potential attack or a scam.