CEO vs Scammer
“Each request your CEO makes uses fear and curiosity to emotionally manipulate you to complete their task”
“Cyber criminals use fear and curiosity to emotionally manipulate you to complete their task”
Two statements, but only one of them regularly features in infosec.
Some thoughts
Saying scammers target a specific biological reaction gives them too much credit.
Emotions are important, but we shouldn't assume all scammers are able to exploit them.
And I say this from experience; because I’ve engaged with 1,000’s of BEC scammers over the years (Verifiable!) and the majority were useless at it.
Email, Sent, Action.
If we look at my first statement and the beginning of this blog — a request from a CEO — it would be sad to think they would target emotions so surgically.
The strength of a request is in the relationship — CEO to employee — and also the duties the employee is expected to carryout.
Our CEO could write a request on a jet-ski, using only emoji, and there’s still a good chance it would actioned. (I’ve not tried this — being a CEO, or making requests from a moving jet-ski).
Going with the flow
The communication channels that tasks travel within are always flowing. This is what scammers place their requests into.
Knowledge of office etiquette, processes, and role dynamics, is essential if scammers are to use them in a way that won’t raise suspicion.
Every office has made a payment, and that will consist of a series of connected processes. And it’s these processes scammers have wide eyes for, and leverage to get you to act.
The clock’s ticking as soon as the first reply hits their inbox. It’s in their interests to keep the pressure on from that point, as the longer it drags out, the more likely it becomes they won’t be successful.
‘Okay, how do we give this person a panic attack?’ is not the only approach available to them. A scammer can write whatever a CEO (or anyone for that matter, within reason) might to reinforce the ASAP nature of the request.
Emotions are extremely powerful when used against us. But every scammer isn't aware of the psychological piano they are striking the keys of.
In fact, as scammers often use scripts, which they copy and paste from, a scam could have quite an unusual profile.
A script conceived by a scammer aware of the emotional pressures isn't going to be the only person who uses it.
That script will at some point end up in the hands of a far less proficient scammer. So when an exchange goes off-script, as it will, they are then alone at the controls.
It was obvious when scammers were out of their depth. They would send parts of the script again, unable to reroute the attack on the fly.
The bigger picture
It’s in our interests as those trying to prevent social engineering attacks to not become too focused on the emotional aspects of an attack, because it’s tricky to directly counteract that using technology and process.
I’m also personally a little unsure how much success can be had from instilling in users a need to increase security awareness as they experience more emotional extremes.
We know that state reduces the ability to be objective, so it seems a big ask that they modify it. Perhaps it will take initially, but after 100 instances of the stressful situation being a genuine stressful work situation, I am not sure it won’t just be undone.
As ever, feel free to disregard or challenge any of what i’ve said :) I just wanted to shine a light on how social engineering — especially over email — can be quantified and hopefully combatted in a wide variety of ways.
I’ll go into more detail about what I think the taxonomy of cyber based social engineering looks like at some point in the future, hopefully you’ll find it as fascinating as I do!