A Very Merry Christmas and a Happy New Year to You All! See you in 2016.

What do you know about spear phishing? by Dr Emma Williams

The world of hacking, cyber attacks and cyber crime has increasingly come under the spotlight in recent years, with various documentaries, films and mass media coverage raising awareness of cyber security issues across the general public. In line with this, organisations have had to become more cyber-aware, channelling significant resources into the development of adequate security systems, processes and procedures in order to keep electronic data safe.

Technical advances in the security of computer systems has meant that the individual user of a system has become increasingly targeted as the potential ‘weak spot.’ By persuading a user to click on a link within an e-mail and enter personal details, such as user accounts and passwords, or to inadvertently download a file containing malicious software, attackers are able to access a system more easily than through technical means alone. This manipulation of human behaviour by persuading an individual to engage in a particular action has become known as social engineering.

One common method of social engineering in online environments is spear phishing. This involves the targeting of particular individuals or groups with tailored phishing e-mails that mimic organisations or individuals known to the person, or refer to topics that are of particular interest to them. Whereas generic phishing e-mails use a mass-market approach targeting as many people as possible, such as 419 scams whereby an individual claims to have millions of pounds in a foreign bank account that they require help to move in exchange for a proportion of the money, spear phishing attempts are likely to have been preceded by online data gathering of the target individual, group or organisation. This may utilize information found on social media websites such as Facebook and LinkedIn, corporate websites, and any other information that can be easily accessed. By using this information to tailor communications, attackers are able to maximise the likelihood that their communications will be trusted and that the target will undertake the desired behavior with minimal consideration (e.g., click a link, open an attachment, respond to the sender, provide sensitive information or forward the communication on to colleagues).

Unlike longer-term persuasion attempts, which focus on the development of a relationship with the individual (commonly seen in online romance scams and the grooming of young people), the one-off nature of spear phishing communications means that they have a single opportunity in which they must persuade the individual to respond. This results in the use of a number of influence techniques that are primarily focused on:

•         Instilling a sense of urgency, such as requiring a response within 24 hours to prevent account closure or providing time-limited or time-relevant information.

•         Providing information of interest or use to the individual, whether by professing information that will be perceived as important or required to complete a work or personal task, or referring to information that is likely to ‘grab’ attention and induce curiosity or credulity.

•         Encouraging emotional responses, usually through fear or panic relating to a potential threat or loss (freezing an account, removing or restricting access or availability, identity theft) or by inducing positive emotions, such as excitement, desire, pride or hope relating to excessively large prizes, ‘too good to be true’ offers, limited opportunities or miracle cures.

•         Exploiting compliance with authority, whereby individuals are instructed to complete a task (such as processing an invoice or reading a policy document) by someone impersonating a relatively high status individual within an organisation.

•         Focusing on contextual or work-related communication norms, including cultural holidays or events (e.g., Christmas, Easter, World Cup), activities (e.g., parcel delivery updates), and common or targeted work or personal topics (e.g., policy updates, delivery notifications, invoices to finance personnel, update personal details forms to HR personnel).

The combination of these techniques is likely to maximise the likelihood that an individual will respond, particularly if they are distracted, overloaded, in a rush (seen in the ‘Friday afternoon scam^[1]’), or have a particular need for something that cannot be met through conventional means. In more complex influence attempts, e-mails may be preceded or followed-up by phone calls or other communications from the attacker.

But what persuades people to click on a link, open an attachment or view a video in these online settings? Unfortunately, research in this area is still relatively sparse. In addition, the complexity of trying to understand what motivates an individual to engage in a particular action in any given situation means that it is very difficult to pinpoint where best to address this problem. For example, is more training and awareness required? Or do systems and processes need to be designed differently to limit potential vulnerabilities in human decision-making? Are some people more vulnerable than others? Or are people more vulnerable when they are doing a particular task, working in a particular role or in a particular mood? These are the questions that are starting to be explored by an increasing number of researchers, including ourselves, and we await with anticipation the further development of this research field.

---

[1] Bloomberg (2015) A London Hedge Fund lost $1.2 million in a Friday Afternoon Phone Scam, http://www.bloomberg.com/news/articles/2015-07-07/friday-afternoon-scam-cost-hedge-fund-1-2-million-and-cfo-s-job

Behaviour Change and Linguistic Relativity: The Power of Words by Dr Kate Muir

I’m pretty sure everyone would agree that words have power: we’ve all read a book, heard song lyrics or a speech that has stayed with us or influenced us in some way. I’d go even further and propose that of all the myriad influences on our thoughts and behaviour, none is more important than language. Let me explain what I mean. This idea is the basis of linguistic relativity, the theory that language influences our thoughts, and how we perceive the world . The strong version of this theory claims that language actually dictates thought - that the language we speak constrains our perception and cognition. A limited vocabulary means an equally limited worldview. If you don’t know a word, you quite literally are unable to perceive, or think about the concept that word represents. The crux of the argument is that humans rely on internal categories and concepts, in order to understand the flux of information we are bombarded with. The language we speak is part of this system of organisation; verbal labels assist us in making sense of and navigating our way through the world. Languages segment our experiences and perceptions in different ways – speakers of another language will literally see and describe the world differently. Take colour perception, for example. We perceive a particular wavelength of light, and label it with a colour name; this system is going to vary depending upon the language we speak. The colour one language defines as ‘green’, for example, may not even exist in another. There is indeed some evidence that language has a significant influence upon colour perception. Roberson, Davies and Davidoff studied a Papua New Guinean tribe called the Berinmo, who had only five basic colour terms, compared to ten in English. The figure below shows how the five Berinmo colour terms (box b) roughly map onto the English (box a; after Davidoff ).

Berinmo participants consistently showed poorer performance in tasks involving colour terms. For instance, Berinmo participants showed inconsistency in picking the best example of a colour category, whilst English participants exhibited high consensus. Berinmo participants also had poorer memory for colours than the English participants. This suggests that both sets of speakers relied on naming strategies during the memory tests, and as the Berinmo’s colour terms cover various shades of colour, their verbal labels were not helpful to them. The strong Whorfian view of this evidence indicates that these two cultures, because of their varying colour terms, literally see different colours. These days, the weak version of linguistic relativity, that language merely influences thought but does not determine it, is more accepted. Languages spoken around the world differ in their representations of time, space, shapes and objects; thus, the language spoken biases the way speakers of different languages think about these concepts. For instance, in English, we use front/back terms to talk about time (the past is behind us, the future is ahead) whereas Mandarin uses up/down terms (the past is up, the future is down). Speakers tend to show a bias towards thinking about time in the same way as the terms used in their language: Mandarin speakers are quicker to confirm that March is earlier in the year than April if they have just seen a vertical array of objects, than if they had seen a horizontal array. The opposite is observed for English speakers . Other research demonstrates that bilinguals categorise objects differently according to the language they use at the time . Language can thus be seen to influence many aspects of cognition and behaviour. In my view, language isn’t just a means of communication; it is a weapon of sorts. Change a person’s language, and you change the person. My point is this: in studying and implementing behaviour change, we should not underestimate just how influential language can be. If we are to encourage positive behaviour change and influence society for the better, we should choose our words carefully.

[1] Whorf, B. (1956).  Language, thought and reality: selected writings of Benjamin Lee Whorf. New York: Wiley.

[1] Roberson, D., Davies, I. & Davidoff, J. (2000).  Colour categories are not universal: replications and new evidence from a stone-age culture.  Journal of Experimental Psychology: General, 129 (3), 369 – 398. 

[1] Davidoff, J. (2001).  Language and perceptual categorisation.  Trends in Cognitive Sciences, 5 (9), 382 - 387.

[1] Boroditsky, L. (2001).  Does language shape thought?  Mandarin and English speakers’ conceptions of time.  Cognitive Psychology, 43 (1), 1 – 22.

[1] Athanasopoulos, A., Bylund, E., Montero-Melis, G., Damjanovic, L., Schartner, A., Kibbe, A., Riches, N. & Thierry, G. (2015).  Two Languages, Two Minds: Flexible Cognitive Processing Driven by Language of Operation.  Psychological Science, 26 (4), 518 – 526.