At Motorola Solutions, we firmly believe that understanding the “why” of a problem you’re facing is the key to solving it. If you can figure out the “why,” you consistently make better decisions. In keeping with the theme of the second week of Cybersecurity Awareness Month, “Phight the Phish,” let’s consider why phishing attacks are so successful, and how you can leverage that “why” to better protect yourself from falling victim to them.
A Simple Explanation for How We Think
A very basic way to explain how we think is that there are two parts to our mind. Part One controls all of our normal functions that we don’t actively think about. It keeps our heart beating, our lungs breathing, our eyes blinking — and it’s also the part that controls our instincts. For example, when someone suddenly throws a ball at you, your instinct is to either catch, dodge or brace for impact. We don’t have time to think about what to do. It’s whatever reaction Part One chooses in that split second. Part One can also be thought of as our emotional and reactive center.
Part Two of our mind is in charge of our deliberate decisions — things we choose to do. That’s what we use when we are actively “thinking” — like trying to solve a math problem, reading or writing. Part Two is the half of our brain that we actively turn on and off, because it’s hard to passively solve math problems, write a story or read a book. Part Two can be referred to as our logic and focus center.
How Phishing Preys on the Quirks of Your Mind
Cybercriminals use social engineering to engage and prey on Part One of your mind to reduce the amount of thought you put into your response. There are many types of phishing attacks, but let’s focus on three major types of phishing scams designed to activate Part One, and how to avoid falling for them.
Authority: Phishing emails leveraging authority will appear to come from someone who you perceive to have power. This could be a government organization, an executive within your company or even a politician. These emails are trying to activate Part One of your mind by making you think they come from someone important. In every organization there is a hierarchy, and by acting as an authority figure, they’re hoping you’ll follow through on what they’re asking for before fully examining the situation.
For example, say you get an email that looks like it’s from your CEO or the head of your agency, and it asks you for confidential information or has an urgent request to carry out some task. What should you do? The first step is to take a breath and question this message. Does the CEO often ask you for information directly, or is this the first time? Why wouldn’t the CEO call you if they urgently needed something, particularly if it involves sensitive financial information? ?
A message that appears to come to you directly — whether from the director of an agency, another authority figure in the organization, or someone else you know — is called a spear phishing attack. It’s unlikely this message was sent to multiple people within your organization, because it makes it too easy to ask your coworkers if they’ve gotten the email. That, and the personalization of the message, are two characteristics that identify this type of attack. A normal phishing email may be sent to many people within the organization, but spear phishing targets an individual.
How can you recognize a spear phishing attempt? It’s more challenging, but the key component is to remain skeptical and take a minute to carefully examine the message. As we noted in the example above, the first thing to do is to stop and think if this is something the sender would actually be asking you to do in the normal course of business.
If the sender is asking for sensitive information like employee Social Security numbers, or has an urgent request to complete a wire transfer or make configuration changes that could impact the operations of a mission-critical system, for example, be especially cautious, even if the message refers to things that make it appear that the sender knows you. Clever cyber criminals will often craft spear phishing messages that mention the names of colleagues, your work schedule or other information that they can glean from lurking in your organization’s email system and surreptitiously reading your coworker’s correspondence.
If you’re unsure about the message or comes from someone who usually wouldn’t contact you directly, try to get in touch with them by phone or text. Don’t use the contact information provided in the suspicious email, since that may be fake, too. If you can’t get in touch with the sender, go to their second-in-command, or contact someone in your IT team who can look into it. You’re better off safe than sorry when it comes to spear phishing.
Scarcity: These phishing efforts appear to come from any sort of business that offers expensive goods or services. A scarcity phishing email will state that there is a limited time offer, and that you must take action within a short period of time to get the deal. The desire to get a great bargain is human nature, and this sort of phishing message is hoping to get Part One of your mind excited for this once-in-a-lifetime offer. The email sender is hoping you’ll click on a link before you fully consider the likelihood of such an offer being reasonable or not.
For example, imagine you get an email that appears to be from a name brand retailer with an incredible offer for a new flat screen television that’s usually $800, and it’s on sale now for ONLY $100. All you need to do is click on that convenient link in the email and log in to your account to buy it.
The first thing you should do when you see a deal that seems too good to be true is to slow down and take a deep breath. Open a new tab and go to the company’s website (do NOT click the link in the email). You should be able to find the deal on their website, or by logging in if you have an account. If you don’t see the deal advertised, you’ve likely just saved yourself from a phishing scam. If you’re determined to find out, get in touch with their Customer Support team and ask — but only using the contact information you find on their legitimate website.
Fear or Worry: These phishing emails, which appear to come from a bank or a large commercial retailer, will alert you to an issue with one of your accounts. They typically ask you to use the link in the email to log in and verify a transaction. It’s natural for Part One of your mind to panic at the thought of your account and personal information being compromised — and that’s what the phishers are counting on. When we’re afraid, our thought processes get jumbled. Part Two of your mind is only usable when you put conscious effort into it. This phishing attack is trying to put Part One in control right now because you’re worried about your information.
Another similar phishing scam is to send emails that appear as though they come from a bank, claiming that your information needs to be verified. They’ll ask you to email back with either your password, bank account number or Social Security number to verify your account or prevent it from being locked. Immediately you’ll be worried, but take a minute to stop and analyze the email. Did you recently request a password reset? Are they asking you for your confidential information via email response or a special link you wouldn’t normally use to log in? When in doubt, you can always stop by your local bank branch. It’s far more secure, if less convenient, to resolve these types of questions in person.
No legitimate company will ever request your password or any personally identifiable information through an email. If there’s truly a problem, that can be verified. Don’t click on the link in the email. Open a new browser tab, navigate to that company’s website and log in to your account, or call your bank using only their official contact information on the legitimate website. If any information on your account needs to be changed, there should be a warning when you log in.
Summary
Part One of your mind serves a valuable purpose, but instinctive reactions can be exploited by bad actors on phishing expeditions. Whenever you feel yourself being pushed by an email or text message to react without thinking, stop and engage Part Two of your mind. Is this message trying to get you to send sensitive information about yourself or your organization? Is this email trying to get you to click a link or open an attachment? Most phishing efforts can’t hold up under calm consideration — which is why that is your best weapon to prevent phishing attacks.
Sergei Borodinski
October 14, 2021
Thanks, very well put.