The human element and malicious activity
There was a very popular film, back in the 70s called “Paper Moon”. It was about a father who used his young daughter to carry out ‘cons’ in 1920s America. Con artists have been part of society since well before money came on the scene. The con artist portrayed in Paper Moon was of a sort that included many infamous scams including the “Ponzi Scheme” of the early 20th century. Con artists, scammers, and their modern counterparts, cybercriminals, have something in common – they understand how to manipulate natural human traits to get what they want – usually money.
As we see ever more complicated and widespread cybersecurity incidents happen, we are increasingly witnessing the use of social engineering as an integral part of the cyber-attack – this is simply the old-fashioned “con”, rebadged. In this article, we will look at why this is so, showing examples of how our own behaviour is being used against us.
This article is part one of a mini-series where we look at the way that human behaviour creates insecurities in the workplace. In part one, we will look at how malicious actors use scams. In part two, we will look at the accidental aspects of cybersecurity.
Why human behaviour is so attractive to a cybercriminal
If you think back to those old-fashioned tricks and scams, you often picture a smooth-talking individual who makes the victim feel confident in them before perpetuating their scam. This same idea is behind many of modern-day cybercrimes – only the way that this confidence is created is often (but not always) digital.
Attractive human trait 1: Trust
Trust is a fundamental step in perpetuating a socially engineered scam. If you can get someone to trust you, they will act on that trust and follow instructions more easily and without question. With trust, you can remove thought. Without thinking people click on links they shouldn’t click on.
In research by the Anti Phishing Working Group (APWG) they found that when designing phishing emails, scammers use the most well-known brands to disguise their intent. Brands like PayPal, Facebook, Apple, and even the UK Government, are loved by cybercriminals. Why? Because we trust them. And, we trust them because we have built a relationship with them, often over years of doing business with them.
Cybercriminals also use well-established trust signals, like making their spoof websites, secure (HTTPS – S for secure). The APWG found that phishers secure their spoof websites to fool users into thinking they are secure and therefore they must be dealing with a legitimate company.
Attractive human trait 2: Greed and need
We all know about the scams that promise a 7-figure payment if you send your bank account details over. These scams work because of the natural human instinct to “feather your nest”. It is a normal and natural thing for human beings to want to accumulate money or the equivalent. So, scammers use this basic need against us. An example of this type of phishing in action was discovered by Kaspersky. The scam used the popular game “Clash of Clans” mixed with some festive game freebies (or not so free as it turned out). Phishers created a spoof site which offered free stuff. Once you made your choice of free gift, you then entered various personal data, including Facebook and/or Google credentials. The scammer then used these credentials to log into your account and take it over.
Attractive human trait 3: Urgency and FOMO
A sense of urgency is used to great effect by phishers or by other scammers. Phishing emails may contain a “call to action” which has an urgent element to it. Research has shown that certain key phrases are more successful than others in getting users to click on a malicious link. Included in these are phrases such as: “IT Reminder: Your Password Expires in Less Than 24 Hours” and “Please Read – Important from Human Resources”. Those links will usually take you to an infected website that will auto download malware to infect your machine.
Examples of the modern ‘cybercon’ in action
It is incredibly easy to find examples of socially engineered cybersecurity threats. They are in abundance and the bain of business. Here we look at three common types:
Phishing and SMShing and everything in between
Phishing comes in many forms, including via email, mobile text message, and voice. The ‘phish’ is typically about tricking users into:
- Entering login credentials into a spoof site
- Entering personal data into a spoof site
- Opening an infected attachment, thus infecting the machine or device
- Clicking a link and being taken to an infected website which beings a process of malware infection
Examples of this scam:
Greed and FOMO: Brazilian scammers stole login credentials to buy and resell electronic goods. There was a spike in activity during the FIFA World Cup which is attributed to people wanting to purchase cheap TVs to watch the football.
Urgency and Trust: A recent phishing campaign based on the Microsoft Office 365 brand is believed to have affected 10% of users. The phishing email contains a link to a “SharePoint” document in “OneDrive”. Clicking to access the document, takes the user to a spoof Office 365 login page which is used to harvest the user’s login credentials – result, an account takeover.
Business Email Compromise (BEC)
This is a digital version of the latter-day ‘sting’. It involves a cybercriminal using surveillance techniques to ‘get to know’ their target. Once they have enough information they use various methods to hijack or spoof the email account of a high-ranking person in an organisation. They then use the trust and authority of that individual to trick people into moving company money into the cybercriminal’s bank account.
There are a number of ways that social media sites can be used as a means to exploit an individual or organisation.
Facebook clone accounts: This scam involves using an individual’s’ photos and personal details to create a fake account. The account can then be used to blackmail the user. For example, if that person was the director of a company, the fake Facebook account could post embarrassing things or make false claims.
Whatsapp phishing: Increasingly, social apps like WhatsApp are being used as a conduit for phishing scams. A recent Sainsbury’s scam used WhatsApp to push out a spoof “Win a Sainsbury gift card” message. The scam cleverly using the social aspect to encourage people to pass the message onto their wider friend base.
Some ways we can help to trick the trickster
This article has touched on just a few of the tricks of the scammer trade out there. To keep up with the twists and turns of the cybercriminal business is not easy. Being security aware is a fundamental part of every organisation in a complex online world. Here are a few things to consider in keeping on top of the scammers:
- Security awareness training: Make all of your staff aware of possible cyber threats and how to spot a potential scam.
- Phishing simulation exercises: Run regular simulation exercises to help your staff recognise the latest threats from phishing.
- Chain of reporting: Have a chain of reporting so that if someone feels they have been tricked into a scam they can quickly report it, so any damage can be contained.
- Use the right technology: Although human behaviour is used by cybercriminals as part of the scam, certain technologies can help to reduce the risk. These include using second factor authentication wherever possible and ensuring that systems are regularly patched.