Hacking the Brain: The Psychology of Phishing and Social Engineering
We hear it regularly in workplace trainings and general reporting: watch out for phishing emails and don't click on those links! Some folks may look at examples and wonder, "why would anyone click on that? It's so obvious!" The truth is, while some phishing attempts are not tailored to the target, others are. In today's blog post, we delve into the psychology of phishing and social engineering, and why these are so successful.
Hook, line, and...malware?
"Phishing" is an attempt to collect valuable information or deliver malware to a target by means of a fraudulent email, link, or other mechanism. When the attempt is targeted to a specific person or entity, it becomes "spearphishing." The same way a knowledgeable fisherman would use a specific bait and lure to attract a certain type of fish, adversaries that target specific people or entities use convincing images, narratives, and delivery methods in order to give the impression that the "bait" is a legitimate resource.
The attributes that add a layer of false credibility, elicit a sense of urgency, or otherwise mentally and socially influence the target to "take the bait" would be considered "social engineering." According to Joe Gray in his new and upcoming book, "Practical Social Engineering," social engineering is "any attack that leverages human psychology to influence a target, making them either perform an action or provide some information."
You've already been a target of social engineering. Yes, you!
Believe it or not, you've likely already been a target of social engineering. Don't believe me? Here are some common examples of social engineering:
- Phone calls stating that your car warranty is expiring and needs renewed in order for you to remain legally compliance
- Letters in the mail regarding your recently closed or opened mortgage account or home warranty/insurance
- Emails stating that your account credentials have been compromised or your password has expired and new credentials are required
Ok, but who's actually trying to rescue a Nigerian princess?
others are convincing and sophisticated enough to make recipients do a double-take and consider taking the requested action. During the height of the COVID-19 pandemic, threat actors capitalized on the already present confusion, panic, and fear and leveraged fraudulent COVID-19 emails in order to conduct their attacks and propagate malware globally. According to the FBI's Internet Crime Complaint Center (IC3), the number of US-based phishing victims more than doubled in 2020 vs. 2019, and nearly 30,000 of the complaints received were related to COVID-19 scam attempts.
- Urgency: Messages like "limited time offer" or credential expiration dates convince the target that the action should occur quickly if not immediately. This clouds judgment and limits the amount of thought put into the legitimacy of the requested action.
- Fear/panic: Sometimes threat actors will capitalize on a dangerous event (such as the pandemic) or instill fear in targets by claiming they have explicit photos/messages of the recipient. Extorting the target, making threats, and blackmailing are all mechanisms that instill fear and panic in people and may cause them to act quickly in order to "preserve" their reputation.
- Perceived legitimacy: Threat actors will craft emails and other correspondence to seem as legitimate as possible. Using official-seeming logos and titles/roles, domain names that are extremely close to that of a reputable company, and even including information about their target that they were able to gather from social media or other public sources are ways threat actors accomplish this. APTs have been observed sending official-seeming emails to political and military entities, convincing the user to open the attachment and leading to the compromise of the endpoint and any sensitive information stored on it.
Case Studies on APT Usage of Phishing
- Resurgent Iron Liberty Targeting Energy Sector (Secureworks)
- REvil/Sodinokibi Ransomware (Secureworks)
- APT 1: Exposing One of China's Cyber Espionage Groups (Fireeye)
- Sofacy Attacks Multiple Government Entities (Palo Alto)
- 'Ghostwriter' Disinformation Campaign Targets NATO Allies (Bank Info Security)