The
world of hacking, cyber attacks and cyber crime has increasingly come under the
spotlight in recent years, with various documentaries, films and mass media coverage
raising awareness of cyber security issues across the general public. In line
with this, organisations have had to become more cyber-aware, channelling
significant resources into the development of adequate security systems,
processes and procedures in order to keep electronic data safe.
Technical
advances in the security of computer systems has meant that the individual user
of a system has become increasingly targeted as the potential ‘weak spot.’ By
persuading a user to click on a link within an e-mail and enter personal
details, such as user accounts and passwords, or to inadvertently download a
file containing malicious software, attackers are able to access a system more
easily than through technical means alone. This manipulation of human behaviour
by persuading an individual to engage in a particular action has become known
as social engineering.
One
common method of social engineering in online environments is spear phishing.
This involves the targeting of
particular individuals or groups with tailored phishing e-mails that mimic
organisations or individuals known to the person, or refer to topics that are of
particular interest to them. Whereas generic phishing e-mails use a mass-market
approach targeting as many people as possible, such as 419 scams whereby an
individual claims to have millions of pounds in a foreign bank account that
they require help to move in exchange for a proportion of the money, spear phishing
attempts are likely to have been preceded by online data gathering of the
target individual, group or organisation. This may utilize information found on
social media websites such as Facebook and LinkedIn, corporate websites, and
any other information that can be easily accessed. By using this information to
tailor communications, attackers are able to maximise the likelihood that their
communications will be trusted and that the target will undertake the desired
behavior with minimal consideration (e.g., click a link, open an attachment,
respond to the sender, provide sensitive information or forward the
communication on to colleagues).
Unlike longer-term persuasion
attempts, which focus on the development of a relationship with the individual
(commonly seen in online romance scams and the grooming of young people), the
one-off nature of spear phishing communications means that they have a single
opportunity in which they must persuade the individual to respond. This results
in the use of a number of influence techniques that are primarily focused on:
•
Instilling a sense of urgency, such as requiring a response within 24 hours
to prevent account closure or providing time-limited or time-relevant
information.
•
Providing information of interest or use to the individual, whether by professing information
that will be perceived as important or required to complete a work or personal
task, or referring to information that is likely to ‘grab’ attention and induce
curiosity or credulity.
•
Encouraging emotional responses, usually through fear or panic relating to a
potential threat or loss (freezing an account, removing or restricting access
or availability, identity theft) or by inducing positive emotions, such as
excitement, desire, pride or hope relating to excessively large prizes, ‘too
good to be true’ offers, limited opportunities or miracle cures.
•
Exploiting compliance with authority, whereby individuals
are instructed to complete a task (such as processing an invoice or reading a
policy document) by someone impersonating a relatively high status individual
within an organisation.
•
Focusing on contextual or work-related communication norms,
including cultural holidays or events (e.g., Christmas, Easter, World Cup),
activities (e.g., parcel delivery updates), and common or targeted work or
personal topics (e.g., policy updates, delivery notifications, invoices to
finance personnel, update personal details forms to HR personnel).
The combination of these techniques
is likely to maximise the likelihood that an individual will respond, particularly
if they are distracted, overloaded, in a rush (seen in the ‘Friday afternoon
scam[1]’),
or have a particular need for something that cannot be met through conventional
means. In more complex influence attempts, e-mails may be preceded or followed-up
by phone calls or other communications from the attacker.
But
what persuades people to click on a link, open an attachment or view a video in
these online settings? Unfortunately, research in this area is still relatively
sparse. In addition, the complexity of trying to understand what motivates an
individual to engage in a particular action in any given situation means that
it is very difficult to pinpoint where best to address this problem. For
example, is more training and awareness required? Or do systems and processes
need to be designed differently to limit potential vulnerabilities in human
decision-making? Are some people more vulnerable than others? Or are people
more vulnerable when they are doing a particular task, working in a particular
role or in a particular mood? These are the questions that are starting to be
explored by an increasing number of researchers, including ourselves, and we
await with anticipation the further development of this research field.
[1]
Bloomberg (2015) A London Hedge Fund lost $1.2
million in a Friday Afternoon Phone Scam,
http://www.bloomberg.com/news/articles/2015-07-07/friday-afternoon-scam-cost-hedge-fund-1-2-million-and-cfo-s-job
No comments:
Post a Comment