In today’s demanding remote work environment, our mental energy is the most important currency we have. To preserve our mental resources and help us make decisions more quickly, the human brain subconsciously takes mental shortcuts called cognitive biases. While biases do not necessarily reflect reality or rationality, they undoubtedly influence the way we think and behave, meaning they also affect our decision-making process. Unfortunately, cybercriminals have caught onto these reasoning errors we’ve come to rely on, and leverage these biases to launch increasingly sophisticated and personalized phishing attacks.
Security leaders must be proactive and get ahead of attacks by arming their employees with the knowledge and tools necessary to combat today’s ever-evolving social engineering techniques. Instead of trying to proactively guess the next new phishing attack technique, we can simply learn from what has worked for hackers time and time again. By understanding what has worked and why, we can use that information to inform a stronger and more comprehensive security awareness culture that positively changes risky behaviors. In doing so, security leaders can create a strategic, layered security approach that prioritizes the human element as the strongest asset towards fortifying organizations against even the most sophisticated cyberattacks.
Phishing emails are highly effective today because workers have been groomed to have an immediate response to them, particularly remote workers. According to SecurityAdvisor research on cognitive bias techniques, the halo effect is the most commonly used cognitive bias, appearing in 29% of phishing attacks. Rounding out the top five most commonly used cognitive biases is hyperbolic discounting (28% of phishing attacks), followed by the curiosity effect (17%), recency effect (5%) and authority bias (3%).
Once we understand what each of these techniques encompasses, why we respond the way we do, and how cybercriminals frame attacks to elicit the desired responses from targeted employees, our organizations will become better positioned to combat future threats. Below is a breakdown of each of these widely-used cognitive responses:
- Halo effect: This is the tendency for an individual to have a positive impression of a person, company, brand, product, or service. In this type of attack, a cybercriminal pretends to be a trusted entity known to the target individual. A prime example of this is, “Hey Billy, can you quickly send me your cell number, I’m at a conference and need it for an urgent matter.” Today, employees are moving so quickly, and oftentimes checking email and messages on mobile. It’s easy to fall victim and respond in a hurry before checking the sender’s address closely—our brain sees the name of our boss and immediately, we shoot back a response.
- Hyperbolic discounting: This bias refers to the inclination to choose immediate rewards over rewards that come later in the future, even when these immediate rewards are smaller. The most common example of this bias is fake offers to receive free or discounted services for the first few months or signing up for a free trial.
- Curiosity effect: Also referred to as the Pandora effect, taken from the Greek mythology of Pandora’s box, research suggests that humans possess an inherent desire to resolve uncertainty. When facing something uncertain, they will act to resolve the uncertainty even if they expect negative consequences. An example of this is a text message from your bank saying your account has been blocked and you need to verify your identity using the link.
- Recency effect: This is the tendency to remember the most recently presented information best, or recent events that have taken place. Most recently, some phishing attacks have used the bait of COVID-19 vaccinations to lure targets to act.
- Authority bias: This bias states that people tend to attribute a greater accuracy to the opinion of an authoritative figure. In the context of the workplace, this can include a manager, boss, or CEO. Any time we receive an email request from an authority figure, we’re inclined to comply quickly and without question, as we place a high amount of trust and credibility in these figures.
Without knowledge, we are powerless. Employees will not stand a chance against today’s motivated, ruthless and highly sophisticated cybercriminals unless they have the wisdom and tools in their back pocket, ready to defend with. While nearly impossible to unlearn these biases, we can improve our employees’ understanding of these biases to make it easier to identify and mitigate the impact of psychologically-powered cyberattacks, and ultimately facilitate changes in individual cybersecurity behavior.