Despite humans processing decisions consciously only five percent of the time, most cybersecurity awareness, education and training programmes assume staff to be in rational mode when making cybersecurity decisions.
Awareness programmes must consider the other ninety-five percent by helping your employees build alternative decision-making strategies that over time can form into habits.
Several methods of persuasion are used by cybercriminals to lure unsuspecting staff.
This is one of the most utilised and successful methods of persuasion found in phishing emails. Phishing emails containing authority prey on the fact that humans are trusting of the opinions of experts and use this as a shortcut to decision making.
These emails come from senders in powerful positions such as company CEOs or possibly displays of awarded accolades and accreditations.
It is another powerful persuasion technique regularly used to build urgency by stating there to be only 24 hours to update system details or the account will be suspended.
Humans want the things they cannot have so social engineers will limit the quantity of time within their emails to motivate recipients into quick action.
Commitment and consistency
Cybercriminals also often use commitment and consistency by naming recipients as customers or readers. This leaves them with the need to remain consistent with their previous decisions even if the claims are not true.
Liking and similarity
It is an approach that sits in the middle of both usage and success rate, using rapport and compliments to get recipients to carry out their suggested threat action.
This can be seen in phishing emails from potential LinkedIn connections who compliment your work and suggest they have similar areas of interest.
This is ‘middle of the road’ in relation to usage and success rate. ‘Free gifts’ or ‘discounts’ get offered in return for recipients interacting with links or attachments. Humans feel the need to repay debt, so if a gift is offered the recipient will feel compelled to conduct the threatening action.
While reciprocity may work well in a home-based context the offer of free gifts may appear out of place in the workplace.
This is used less frequently but can still occur. Social proof relies on us as humans following the lead of others to whom we are associated with. Phishing emails now ask recipients to forward an email to peers that may be interested, with the recipient, in turn, becoming social proof to those they email.
Cybercriminals use this additional method to move one outside of an email to learn more. While it is used regularly, its current success rate is low. This is potentially due to using a simple method that is easy to deploy, e.g. just sending a link but in the hope that at least some percentage will catch the bait.
FUEL has partnered with OutThink to include its award-winning human risk management platform as one of the software solutions we offer our clients.
To find out how the OutThink Cybersecurity Human Risk Management platform raises awareness, drives more secure behaviours, and increases motivation across an organisation, please get in touch with us at FUEL Online. firstname.lastname@example.org