How Criminals Exploit Your Cognitive Biases to Target You

Do you feel happy when the sun is shining? I definitely do and here is a picture from my back yard in Devon, well I wish :)

Today’s article delves into the crucial topic of addressing people within the realm of cybersecurity. While implementing basic IT security measures like Cyber Essentials is vital, we must also confront a significant underlying issue—the human factor. Astonishingly, 91% of successful cyberattacks began with a spear phishing email. How confident are you in identifying such an email? Would you know how to handle it, and can you be certain you’ll never fall for one?

Consider your staff as well. Are they equipped to respond correctly? With advancements in Artificial Intelligence, phishing emails have become increasingly sophisticated and convincing, so much so that even seasoned security professionals like myself could be deceived without a sharp awareness and understanding of our initial reactions to these emails.

Would you be interested in a free phishing simulation campaign? I can arrange it for you. This exercise often reveals how our perception of reality can be flawed, leading to irrational decisions. It's these cognitive biases that cybercriminals exploit to their advantage. Contact me to set up your campaign and see first-hand how your team responds.

Cognitive biases are like mental shortcuts that cause us to think and make decisions in ways that aren't completely logical. They happen because our brains try to simplify information processing. Basically, we see things based on our own perspectives and experiences, which can sometimes lead us to misunderstand reality, make wrong judgments, or act irrationally. These biases influence how we see and interact with the world and other people, often without us even realising it.

Here are some examples of cognitive biases explained simply:

·?????? Confirmation Bias: This is when people look for, remember, or favour information that matches what they already believe, and they ignore information that doesn't fit.

·?????? Anchoring Bias: This happens when people give too much importance to the first piece of information they hear (the "anchor") and then base all their decisions on that, even if they get more information later.

·?????? Availability Heuristic: This is a shortcut our brains take by using examples that come to mind quickly to make a decision or judgment, instead of considering all possible examples or choices.

·?????? Hindsight Bias: This is when people look back at an event that has already happened and feel like they knew it was going to happen all along, even though they couldn't have predicted it before.

·?????? Dunning-Kruger Effect: This bias is where people who aren't very good at something actually think they are much better at it than they really are.

·?????? Status Quo Bias: This is when people prefer things to stay the same and are resistant to change, even if the change might be beneficial.

In the realm of cybersecurity, the threat from criminals often extends beyond technical vulnerabilities to include sophisticated psychological tactics. Criminals frequently exploit common cognitive biases through social engineering techniques, manipulating individuals' instincts and thought patterns to access confidential information. Understanding these biases can significantly enhance your defences against cyber threats.

?

How criminals exploit Cognitive Biases.

1.?????? Authority Bias: People often comply with requests made by someone in a position of authority. Criminals impersonate CEOs, IT admins, or government officials to request urgent action, like transferring funds or disclosing passwords.

2.?????? Urgency Bias: Creating a false sense of urgency makes individuals act quickly, often bypassing rational judgment. An attacker might send an email warning that your account will be disabled unless you immediately verify your password, pushing you to act without thinking.

3.?????? Familiarity Bias: We tend to trust what or who seems familiar. Phishing emails that mimic the style and branding of trusted companies can trick recipients into believing they are legitimate, leading to the disclosure of sensitive information.

4.?????? Social Proof: This bias occurs when individuals follow the behaviour of the group. Criminals may craft emails that claim many colleagues have already complied with a request, such as clicking on a link to update personal details, making the action seem more secure.

5.?????? Scarcity Bias: The perception that something is in limited supply can create a compelling urge to act. Cyber attackers might offer a limited-time discount or access to exclusive information, prompting hurried actions that bypass normal security checks.

6.?????? Anchoring Bias: This bias reflects the human tendency to rely too heavily on the first piece of information offered (the "anchor") when making decisions. For example, if the first communication from a hacker is convincingly crafted, subsequent fraudulent requests may appear more legitimate.

7.?????? Optimism Bias: Many individuals believe they are less likely to be the victim of a cyber-attack than others, leading to under-preparation and inadequate security practices that criminals can easily exploit.

8.?????? Confirmation Bias: This leads people to favour information that confirms their pre-existing beliefs. If someone believes their network is extremely secure, they might ignore clear warning signs of a breach, assuming that their initial assessment remains unchanged.

9.?????? The Bandwagon Effect: Similar to social proof, this bias involves doing something because many others are doing it. If an email from a hacker claim that "most of the team has updated their passwords here," individuals are more likely to follow without questioning the authenticity.

?

Strategies to Mitigate Risks: Create your Human Firewall

Phishing Simulations for your business;

Run fake phishing attacks like I mentioned earlier to spot who might fall for real ones. This helps train everyone to be more alert and reduces the risk of getting caught out by actual phishing attempts.

Regular Awareness and Training;

Annual cybersecurity training isn't cutting it anymore. Hold frequent training sessions to teach staff about the tricks hackers use and how to spot them. This will help everyone stay sharp and resistant to social engineering attacks.

Verification Processes;

Set up a system to double-check any odd requests—especially those asking for sensitive information, financial details, or urgent actions. Use different ways to verify these requests to make sure they're legit.

Robust Security Measures:

To ensure robust security, it’s essential to employ strong measures such as two-factor authentication, complex passwords, and regular software updates. These steps provide a safety net even in the event of human errors. Additionally, adopting the Cyber Essentials control set is an excellent strategy for preventing malware from infecting your systems. When implemented correctly, these measures significantly strengthen your defences and protect your digital environment.

?Encourage a Security-Minded Culture;

Create a workplace where it's okay to question things that seem off and to report potential security issues without worry. Making everyone feel safe to speak up is key to catching threats early.

?

By understanding the psychological tricks cyber attackers use, individuals and organisations can better defend themselves against complex cyber threats. It's crucial to know about these common biases to keep both personal and professional digital environments safe from attacks.

If you are still curious about how well your staff can spot a phishing email? Let's get you started with a phishing simulation exercise. With our esteemed partner KnowBe4, our phishing simulation campaigns are designed to pinpoint which of your team members are most susceptible to phishing attacks. By engaging in these targeted exercises, you can effectively train your staff to recognise and avoid these security threats, significantly reducing their likelihood of falling victim to real attacks. Books a session with us! It’s complementary btw.

Contact us on: [email protected] | +44 (0)2032224060

?