Mind Hack; taking advantage of human psychology, emotions and errors
By Craig McDonald
Imagine a company with the most experienced cybersecurity team, and the best software and hardware defences. You’d probably think that this organisation won’t ever find itself on the end of a devastating cyber-attack, right?
Think again.
Today’s sobering reality is any business, no matter how resilient, can become the victim of a cyber-attack if their employees aren’t part of its cybersecurity strategy.
Long gone are the days when successful cybersecurity strategies relied solely on an arms race against scammers when it was all about who had the latest, cutting-edge security systems that could detect vulnerabilities the fastest.
We know today that cybercriminals also love playing mind games and exploiting human psychology, emotions and errors. Cybercrime isn’t only about hacking into technology, but getting inside the minds of users too – a ‘mind hacking’ if you will. And that’s why socially engineered attacks, CEO Fraud, business email compromise (BEC) and other similar scams have been making headlines for a while.
As these attacks get more complex and frequent, there’s never been a better time to remind ourselves about the nature and motivation of attackers, so we can strategize about our cyber defence policies accordingly. Why do cybercriminals love playing mind games? And what can companies do to beat them?
We all make mistakes – and cybercriminals know this
Everyday my team at MailGuard intercept phishing emails that are designed to evoke emotions like fear, curiosity, urgency, etc. in order to trick recipients. Because it’s human nature to be curious, we click on unfamiliar links in seemingly urgent & intriguing email messages. We have FOMO when too-good-to-be-true business opportunities land in our inbox, so we end up willingly submitting our confidential data on dodgy sites. And what about extortion threats? Fear is a very powerful emotion.
Cybercriminals know all this, and that’s why they attempt to take advantage of time-poor, busy professionals in the hope they won’t think twice before responding. Are we really surprised when an ambitious employee replies a little too quickly to an email supposedly from their boss, or if someone does a funds transfer when they get an urgent request out of hours? That’s also probably why there’s an increase in phishing emails during EOFY or festive periods such as Easter and Christmas. Cybercriminals know this is a busy, distracted period for employees, and that’s when they strike.
Why do cybercriminals love to play mind games?
It’s simple. These cyber-attacks require minimal investment, but offer phenomenal gains for scammers.
A cybercriminal knows it could take hours, weeks, or even months to successfully brute force his or her way into a network to steal credentials. On the contrary, they could simply pick up a phone, send an email and/or physically impersonate an official, a delivery man, construction worker, or even tech support – and end up causing significant damage.
I’ve witnessed attacks where one cleverly crafted email, delivered to an unsuspecting recipient (regardless of seniority), has brought an entire business to its knees. A famous case is that of Walter Stephan. He had been CEO of plane part manufacturer FACC for 17 years when he fell for a phishing scam. Cybercriminals sent an email to Stephan purporting to be from someone senior in the company, talking of the need for a secret transaction. Stephan fell for the scam and was fired with immediate effect.
The scam ended up costing the company $56.79 million. Just let that sink in.
Exploring a little closer to home, 5,800 business email compromise scams – a broader category than whaling – cost local businesses more than A$7.2 million last year, according to the Australian Competition and Consumer Commission.The actual figure is likely much higher, as underreporting is a prevalent issue.
How to defend your company
There are several means to defend your company from psychological cyber-warfare. You’re probably doing these already, but it doesn’t hurt to go through them to ensure they’re in your current cybersecurity strategy.
Train your team
If you want your team to participate in making the business safer from hacking and cybercrime, you have to give them the knowledge to make good security choices. This includes being able to, firstly, identify cyber scams when they receive them. It doesn’t just happen; it’s a matter of generating awareness throughout the entire team and empowering them to think of themselves as the first line of defence.
Ongoing education is the key to enlightening your staff on the ground. This may be in the form of workshops, meetings, guest speakers, cross-functional teams, tests, and plenty of resources available on your intranet, including weekly cybersecurity updates. You can refer to external resources as well. MailGuard’s blog, for example, is regularly updated with the latest email threats that we see popping up, along with thought leadership articles on the current cyber landscape and how to navigate it.
Conduct ethical hacking attacks
You perform fire drills at work to keep your employees physically safe, so why not fake hacking attacks to secure your company’s data and systems?
One of the best ways to find out how cyber resilient your team is involves running various tests to see if they pass or fail in their detection skills. Consider employing the services of an ethical hacker, or team, to create faux attacks that test your staff’s ability to spot incoming attacks and respond correctly to them. This will give you a good idea of how they will perform in the face of a real threat.
Fortify your defences
We know that spending on cybersecurity should be a combination of software protection and education. Just keeping your antivirus software up-to-date is not going to cut it, and likewise, giving your employees comprehensive knowledge on being cyber-savvy without having strong technological defences in place won’t work either.
I highly recommend companies take a strategic, multi-layered approach when it comes to implementing a cybersecurity tech stack. It’s sometimes referred to as a ‘defence in depth’ approach, designed to defend a system against attacks using several different methods and solutions, in the event that if one fails, the others will stop the threat.
Putting this in the context of email security, you may already have native security from your email hosting provider, like Google or Microsoft, but it’s key to remember that no one vendor can stop all attacks. Since we know that 9 out of 10 attacks start with an email, it’s also prudent to employ an additional layer of cloud email security with email security specialists such as MailGuard.
Other methods you can implement include multi-factor authentication, limited access to systems including regular account maintenance, a strong firewall, website blocking, and encryption of critical data.
Let this article be a reminder of the need to ensure your business’ cyber defence strategy encompasses all of the elements required to beat cybercriminals at the mind games they’re playing. Have a conversation with your CISO about the above suggestions to see which are best for your company.
What are you doing in your business to defend your systems against clever attacks? Write to me below.
Get the facts
Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.
Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets. If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.
I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.
You can download my e-book for free, here.
“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal.
Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity; I'm active on LinkedIn and Twitter.