Hacking the Brain: The Psychology of Phishing and Social Engineering
We hear it regularly in workplace trainings and general reporting: watch out for phishing emails and don't click on those links! Some folks may look at examples and wonder, "why would anyone click on that? It's so obvious!" The truth is, while some phishing attempts are not tailored to the target, others are. In today's blog post, we delve into the psychology of phishing and social engineering, and why these are so successful.
Hook, line, and...malware?
"Phishing" is an attempt to collect valuable information or deliver malware to a target by means of a fraudulent email, link, or other mechanism. When the attempt is targeted to a specific person or entity, it becomes "spearphishing." The same way a knowledgeable fisherman would use a specific bait and lure to attract a certain type of fish, adversaries that target specific people or entities use convincing images, narratives, and delivery methods in order to give the impression that the "bait" is a legitimate resource.
The attributes that add a layer of false credibility, elicit a sense of urgency, or otherwise mentally and socially influence the target to "take the bait" would be considered "social engineering." According to Joe Gray in his new and upcoming book, "Practical Social Engineering," social engineering is "any attack that leverages human psychology to influence a target, making them either perform an action or provide some information."
You've already been a target of social engineering. Yes, you!
Believe it or not, you've likely already been a target of social engineering. Don't believe me? Here are some common examples of social engineering:
Phone calls stating that your car warranty is expiring and needs renewed in order for you to remain legally compliance
Letters in the mail regarding your recently closed or opened mortgage account or home warranty/insurance
Emails stating that your account credentials have been compromised or your password has expired and new credentials are required
Whether you realize it or not, these are all attempts at socially engineering you into performing an action that may scam you out of money, steal your credentials or other information, or deliver malware to your device as part of a multi-stage attack on your endpoint or network.
Ok, but who's actually trying to rescue a Nigerian princess?
While some phishing and social engineering attempts seem to be a stretch as far as convincing a person to buy-in or click on a link, like the one below,:
others are convincing and sophisticated enough to make recipients do a double-take and consider taking the requested action. During the height of the COVID-19 pandemic, threat actors capitalized on the already present confusion, panic, and fear and leveraged fraudulent COVID-19 emails in order to conduct their attacks and propagate malware globally. According to the FBI's Internet Crime Complaint Center (IC3), the number of US-based phishing victims more than doubled in 2020 vs. 2019, and nearly 30,000 of the complaints received were related to COVID-19 scam attempts.
You may be asking, what causes people to click on links, enter credentials, or provide sensitive information? The delivery mechanisms and the way the messages are crafted are sometimes convincing enough and elicit the following from the target:
Urgency: Messages like "limited time offer" or credential expiration dates convince the target that the action should occur quickly if not immediately. This clouds judgment and limits the amount of thought put into the legitimacy of the requested action.
Fear/panic: Sometimes threat actors will capitalize on a dangerous event (such as the pandemic) or instill fear in targets by claiming they have explicit photos/messages of the recipient. Extorting the target, making threats, and blackmailing are all mechanisms that instill fear and panic in people and may cause them to act quickly in order to "preserve" their reputation.
Perceived legitimacy: Threat actors will craft emails and other correspondence to seem as legitimate as possible. Using official-seeming logos and titles/roles, domain names that are extremely close to that of a reputable company, and even including information about their target that they were able to gather from social media or other public sources are ways threat actors accomplish this. APTs have been observed sending official-seeming emails to political and military entities, convincing the user to open the attachment and leading to the compromise of the endpoint and any sensitive information stored on it.
The big takeaway from this blog post is that social engineering is all about psychologically influencing and manipulating the target, and has very little to do (if anything) with technology. When carrying out attacks, threat actors ask the question, "how can I convince my target to [insert action here]?' It's the art of persuasion, manipulation, and influence. It is a reminder that, although cyber revolves around technological mediums and endpoints, it is driven and controlled by the human mind and intent.
Case Studies on APT Usage of Phishing
Resurgent Iron Liberty Targeting Energy Sector (Secureworks)
REvil/Sodinokibi Ransomware (Secureworks)
APT 1: Exposing One of China's Cyber Espionage Groups (Fireeye)
Sofacy Attacks Multiple Government Entities (Palo Alto)
'Ghostwriter' Disinformation Campaign Targets NATO Allies (Bank Info Security)
What is phishing? (CrowdStrike)
Avoid social engineering and phishing attacks (CISA)
COVID-19 Exploited by Malicious Cyber Actors (CISA)
Practical Social Engineering (Author: Joe Gray, Publisher: No Starch Press)