Like most people working in IT or information security or just in general with computers you’ll often receive questions on how to protect against phishing attacks, scams or similar attempts to deceive a person. The questions originate not from clients with whom you work professionally, but most often from friends, family & other people that overheard you know something about computers. I’ve been struggling for a long time on formulating an answer that would increase the resiliency of these people in a manner that doesn’t depend on providing details of ‘the attack that currently dominates the news cycle’.
With this blog post my goal is not to raise awareness, but to provide people with a tool that they can use to defend themselves from attacks when technological measures fail or are not properly configured as well as analog scams or other fraudulent attempts. I’ve also come to the conclusion that maybe it’s not so much about what you know about attacks, but how you FEEL when being attacked, that can make the difference between becoming a victim or not.
Keep in mind that this is not a silver bullet and even with all the knowledge in the world you can still fall victim to attacks. Not because attackers are necessarily always smarter than you, but because everyone has a bad day. Sometimes attackers get lucky and everything aligns perfectly, with the end result of still falling victim to an attack that manipulated you into doing something you didn’t even want to do, to begin with. If and when this happens don’t feel ashamed, it happens to all of us.
Please note that I’m not a psychologist, but just a random person that has executed these attacks in the past and as a hobby is curious about human nature, their emotions and how people react. It may very well be, that my approach is very wrong, which if this is the case, please do tell me. So far, the results have been promising and people with whom I’ve attempted this approach seem to be more resilient against attacks, even when they are not intimately familiar with the details of how the attack technically works.
This is by no means a grand claim on how well this works, since the pool of people that I explained this to and which tried to apply this themselves in their daily life is less than five.
Keep on reading if you are curious about using your emotions as a defence mechanism, if you prefer the attack side of this subject you can also read past blogs of mine on the subject of social engineering as part of different type of attacks here, here and here.
One of the things that got me thinking about this subject was the fact that a friend of a very dear friend of mine fell victim to a password phishing attack resulting in financial losses, let’s call him Chandler. When talking to Chandler it became very clear that after the attack they were having very strong feelings, amongst others: ‘powerless’, ‘ashamed’ and ‘scared’. When further questioning them about the incident they explained that the reason they felt this way, was because they were actually very careful and they still had fallen victim. They were very aware of the fact that they are (paraphrasing their own words) ‘clueless people using a computer’ and thus they tried to follow advice giving by different people and institutions:
- Check the URL for typos
- Check the safety properties of the URL
- Ensure you only click links from email senders that you know
- Log out from websites that you deem sensitive (banks, etc)
- Check reviews of the website before buying
- etc
Don’t focus on the advice itself if it is good or bad, but focus on the fact that even after really wanting to do the right thing, they were still unable to protect themselves. After helping them out with the practical side of things like resetting their passwords, setting up MFA, checking their devices, helping them with the police and their bank etc, the inevitable question was asked:
You are a computer expert right, what else should I do, to avoid falling victim to these attacks?
Now that was a bit of a challenge, how do I respond to that? I needed some time to think this over. Old me would have reacted by providing a lot of technical details on the attack, how they work and increasing the list of things they would need to check for, but after several years of doing this professionally the result is that it just doesn’t work. Providing heaps of information doesn’t make people more resilient, it makes them more informed (or so we hope), which does not necessarily result in a better response when they are attacked. Luckily, more and more psychologists are entering the cybersecurity field
Couple of days later, a colleague at work asked me ‘You seem distracted, do you feel alright?’. That sparked a connection of events in my head and I realised that most of the time we are not dealing with our emotions or how we feel. While these same emotions are often at the center of what attackers abuse. You can read a lot on influencing people, social engineering people, manipulating people, but all of that boils down to changing or reinforcing emotions.
A lot of tricks, approaches and techniques are employed to basically ensure that the right set of emotions, trigger the right set of reactions to achieve the desired actions so that an attacker can obtain their goal.
An interesting case study in this regard is an assignment the team I was with did many years ago. We were hired to test the result of a fairly intensive awareness campaign to educate users on never giving out their password. The test consisted of gaining access to the environment and only allowed us to use attacks that would obtain the password via social engineering techniques. The first attempts all failed miserably, the users were drilled to never give out their password, not even when being pressured with the usual social engineering techniques that focused on a wide variety of emotions like fear, greed, etc.
While brainstorming at the lunch table we realised that they might have been drilled to much on this subject and mainly recognized attempts to give out their password. So, what if we didn’t ask for their password and asked them to change their password instead to a secure password provided by us? We redid the attacks focusing on the same emotions, but this time providing them a password and this worked like a charm. We were able to have many users change their password and obtain our objective.
This case study resembles what happend to Chandler, the users in this case study did all the things they were told to do and yet they fell victim to our attack. Now you could argue that we didn’t strictly test what they were trained on, however when was the last time you asked your attackers to only perform attacks in the exact same manner that you prepared for? Oh and of course, that’s beside the whole discussion of how useful these tests are, specially when the proper technical measures have not been implemented, but that’s beyond the scope of this blog post.
They key things in these two situations which can be generalised to other social engineering based attacks can be summarised as:
- Changed emotion + Action = Attacker objective
Social engineering tries to put you in a state of mind that is beneficial for the attacker, which at the core concerns manipulating one of the many emotions that you have. When this is accomplished there is (almost) always an action that you take for which it is not always clear WHY you take that action. Was it truly and fully out of your own free will or was it because your emotional state changed and thus you were compelled to act in the way that the attacker is aiming for?
After pondering about all this I got back to Chandler and provided the following advice, and thus the goal of this blog post, a tool to hopefully increase their resilience:
- What triggered me to act?
- How do I feel?
- Why do I feel like this?
- Why am I taking this action?
- What does this action accomplish?
I went through these questions with Chandler using the incident and he answered as follow:
- An email triggered me to act
- I felt rushed
- There was a mention of a deadline
- I was typing over the URL, since I know not to click links
- Doing this would result in me giving out information
Doing this consciously made him very much aware of the fact that this was probably an attack. Yet, in his daily routine the only thing that he clearly remembered was that he felt rushed, but didn’t think much of it. So together we brought this proces back to the following:
- Practice recognising that your emotion has changed based on an action
- When you recognise this change of emotion try to focus on it and understand it
- Stop any action that you are performing at that moment due to the change of emotion
As with all well intentioned advice on this subject, this is notoriously more difficult to execute on a daily basis than you would expect. However, after a couple of month of him and some other people being more focused on their emotions, they were able to recognise different kind of social engineering attacks. Not because they methodically answered these question, but by focusing on their emotions and realising that their action was a result of a changed emotion. For example from calm to scared or from their daily rush to suddenly having sympathy combined with a request to do something due to that changed emotion.
Hopefully this blog article will help you or people you know to become a bit more resilient not only against digital attacks, but also against more regular scams and other fraudulent attacks that occur in your daily analog life. Since I’m still very much of the opinion that for a wide range of digital attacks, the proper response is the correct implementation of technical measures, instead of burdening the user.
Yet, it seems that for the foreseeable future the users are on their own, cause a lot of the technological world has yet to figure out how to balance user experience and ease of use, with security measures that protect the user as well as solving the financial aspect of implementing all of this.
DiabloHorn 
One thought on “Emotions as human detection & defence”