Emotions as human detection & defence

Like most people working in IT or information security (or just in general with computers), you’ll often receive questions about how to protect against phishing attacks, scams or similar attempts at deception. The questions originate not from clients with whom you work professionally, but most often from friends, family and other people that overheard you know something about computers. I’ve been struggling for a long time with formulating an answer that would increase the resilience of these people in a manner that doesn’t depend on providing details of ‘the attack that currently dominates the news cycle’.

With this blog post my goal is not to raise awareness, but to provide people with a tool that they can use to defend themselves from attacks when technological measures fail or are not properly configured, as well as in the case of analogue scams or other fraudulent attempts. I’ve also come to the conclusion that maybe it’s not so much what you know about attacks, but how you feel when being attacked, that can make the difference between becoming a victim or not.

Keep in mind that this is not a silver bullet and, even with all the knowledge in the world, you can still fall victim to attacks. Not because attackers are necessarily always smarter than you, but because everyone has a bad day. Sometimes attackers get lucky and everything aligns perfectly,  resulting in you falling victim to an attack that manipulates you into doing something you never intended to do. If and when this happens, don’t feel ashamed. It happens to all of us.

Please note that I’m not a psychologist, but just a random person that has executed these attacks in the past and as a hobby is curious about human nature, their emotions and how people react. It may very well be that my approach is wrong, in which case, please do tell me. So far, the results have been promising and people with whom I’ve attempted this approach seem to be more resilient against attacks, even when they are not intimately familiar with the details of how the attack technically works. This is by no means a grand claim on how well this works, since the pool of people that I explained this to and who tried to apply this themselves in their daily lives is less than five.

Keep on reading if you are curious about using your emotions as a defence mechanism. If you prefer the attack side of this subject you can also read past blogs of mine on the subject of social engineering as part of different type of attacks here, here and here.

Case 1: Chandler's story

One of the things that got me thinking about this subject was the fact that a friend of a friend fell victim to a password phishing attack resulting in financial losses - let’s call him Chandler. When talking to Chandler, it became very clear that after the attack he was having very strong feelings, amongst others; ‘powerless’, ‘ashamed’ and ‘scared’. When further questioning him about the incident, he explained that the reason he felt this way was because he was actually very careful and had still fallen victim. He was very aware of the fact he was (paraphrasing his own words) a ‘clueless person using a computer’ and thus, he tried to follow advice given by different people and institutions:

• Check the URL for typos
• Check the safety properties of the URL
• Ensure you only click links from email senders that you know
• Log out from websites that you deem sensitive (banks, etc)
• Check reviews of the website before buying
• etc

Don’t focus on whether the advice itself is good or bad, but focus on the fact that even after really wanting to do the right thing, he was still unable to protect himself. After helping him out with the practical side of things like resetting his passwords, setting up MFA, checking his devices, helping him with the police and his bank etc, the inevitable question was asked: You are a computer expert, right? What else should I do to avoid falling victim to these attacks?

Now that was a bit of a challenge - how could I respond to that? I needed some time to think this over. Old me would have reacted by providing a lot of technical details on the attack, how they work, and increasing the list of things he would need to check for, but after several years of doing this professionally the result is that it just doesn’t work. Providing heaps of information doesn’t make people more resilient, it makes them more informed (or so we hope), which does not necessarily result in a better response when they are attacked. Luckily, more and more psychologists are entering the cybersecurity field..

A couple of days later, a colleague at work asked me ‘You seem distracted, do you feel alright?’ That sparked a connection of events in my head and I realised that most of the time we are not dealing with our emotions or how we feel, while these same emotions are often at the center of what attackers abuse. You can read a lot on influencing people, social engineering people, manipulating people, but all of that boils down to changing or reinforcing emotions.

A lot of tricks, approaches and techniques are employed to basically ensure that the right set of emotions trigger the right set of reactions to achieve the desired actions, so that an attacker can obtain their goal.

Case 2: Awareness campaign

An interesting case study in this regard is an assignment my team and I did many years ago. We were hired to test the result of a fairly intensive awareness campaign to educate users on never giving out their password. The test consisted of gaining access to the environment and only allowed us to use attacks that would obtain the password via social engineering techniques. The first attempts all failed miserably, the users were drilled to never give out their password, not even when being pressured with the usual social engineering techniques that focused on a wide variety of emotions like fear, greed, etc.

While brainstorming at the lunch table, we realised that they might have been drilled too much on this subject and mainly recognized attempts to give out their password. So, what if we didn’t ask for their password, but instead asked them to change their password to a secure one provided by us? We redid the attacks focusing on the same emotions, but this time provided them with a password - this worked like a charm. We convinced many users to change their password, obtaining our objective.

This case study resembles what happened to Chandler. The users in this case study did all the things they were told to do and yet they fell victim to our attack. Now, you could argue that we didn’t strictly test what they were trained on, however, when was the last time you asked your attackers to only perform attacks in the exact same manner that you prepared for? Oh and of course, that’s besides the whole discussion of how useful these tests are, specially when the proper technical measures have not been implemented, but that’s beyond the scope of this blog post.

Recommendations

They key aspects of these two situations, which can be generalised to other social engineering-based attacks, can be summarised as:

• Changed Emotion + Action = Attacker Objective

Social engineering tries to put you in a state of mind that is beneficial for the attacker, which at the core concerns manipulating one of the many emotions that you have. When this is accomplished there is (almost) always an action that you take, for which it is not always clear WHY you take that action. Was it truly and fully out of your own free will or was it because your emotional state changed and thus you were compelled to act in the way that the attacker is aiming for?

After pondering all this, I got back to Chandler and provided the following advice, and thus the goal of this blog post, a tool to hopefully increase your resilience:

• What triggered me to act?
• How do I feel?
• Why do I feel like this?
• Why am I taking this action?
• What does this action accomplish?

I went through these questions with Chandler and he answered as follows:

• An email triggered me to act
• I felt rushed
• There was a mention of a deadline
• I was typing over the URL, since I know not to click links
• Doing this would result in me giving out information

Doing this consciously made him very much aware of the fact that this was probably an attack. Yet, in his daily routine the only thing that he clearly remembered was that he felt rushed, but didn’t think much of it. So, together we brought this process back to the following:

• Practice recognising that your emotion has changed based on an action
• When you recognise this change of emotion, try to focus on it and understand it
• Stop any action that you are performing at that moment due to the change of emotion

As with all well intentioned advice on this subject, this is notoriously more difficult to execute on a daily basis than you would expect. However, after a couple of months of him and some other people being more focused on their emotions, they were able to recognise different kind of social engineering attacks. Not because they methodically answered these question, but by focusing on their emotions and realising that their action was a result of a changed emotion. For example from calm to scared or from their daily rush to suddenly having sympathy combined with a request to do something due to that changed emotion.

Hopefully this blog article will help you or people you know to become a bit more resilient - not only against digital attacks, but also against more regular scams and other fraudulent attacks that occur in your daily analogue life. Since I’m still very much of the opinion that for a wide range of digital attacks, the proper response is the correct implementation of technical measures, instead of burdening the user.

Yet, it seems that for the foreseeable future the users are on their own, because a lot of the technological world has yet to figure out how to balance user experience and ease of use, with security measures that protect the user as well as solving the financial aspect of implementing all of this.