Patch me if you can: Cyberattack Series
The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
Forty-eight percent of people will exchange their password for a piece of chocolate,[1] 91 percent of cyberattacks begin with a simple phish,[2] and two out of three people have experienced a tech support scam in the past 12 months.[3] What do all of these have in common? They make use of social engineering: when an attacker preys on our human nature in order to defraud. Also in common, these small, very human actions have led to billions of dollars of loss to global business.
People are by nature social. Our decision making is highly influenced by others. We are also overloaded with information and look to shortcuts to save time. This is why social engineering is so effective. In this blog, I’ll share the psychology behind Cialdini’s Six Principles of Persuasion to show how they help lure employees and customers into social engineering hacks. And I’ll provide some tips for using those principles to create a social engineering resistant culture.
Dr. Robert Cialdini is Regents’ Professor Emeritus of Psychology and Marketing at Arizona State University and founder of Influence at Work. He has spent his entire career studying what makes people say “Yes” to requests. From that research he developed Six Principles of Persuasion: Reciprocity, Scarcity, Authority, Consistency, Liking, and Consensus. So let’s take a look at how each of these principles is used in social engineering campaigns and how you can turn them around for good.
People are inclined to be fair. In fact, receiving a gift triggers a neurological response in the areas of the brain associated with decision-making. If my friend buys me lunch on Friday, I will feel obliged to buy her lunch the next time we go out. Social psychologists have shown that if people receive a holiday card from a stranger, 20 percent will send one back.[4] And providing a mint at the end of a meal can increase tipping by 18-21 percent.
How reciprocity is used in phishing: You can see evidence of the Principle of Reciprocity in phishing campaigns and other scams. For example, an attacker may send an email that includes a free coupon and then ask the user to sign up for an account.
Leveraging reciprocity to reduce phishing: According to Dr. Cialdini, the lesson of “the Principle of Reciprocity is to be the first to give...” Many organizations pay for lunch to get people to come to trainings, but you may also consider giving away gift certificates for coffee or a fun T-shirt. If the gift is personal and unexpected, it’s even more effective. After you give, ask people to commit to your security principles. Many will feel compelled to do so.
Why do so many travel websites tell you when there are only a few remaining flights or rooms? The Principle of Scarcity. It’s human nature to place a higher value on something that is in limited supply. In one experiment, college students judged cookies more appealing if there were fewer in the jar.[5] Even more appealing? When an abundant supply of cookies was later reduced to scarcity.
How scarcity is used in phishing: Attackers take advantage of our desire for things that seem scarce by putting time limits on offers in emails. Or, in another common tactic, they tell people that their account will deactivate in 24 hours if they don’t click on a link to get it resolved.
Leveraging scarcity to reduce phishing: You can leverage scarcity to engage people in security behaviors too. For example, consider giving a prize to the first 100 people who enable multi-factor authentication.
People tend to follow the lead of credible experts. Doctors (think Dr. Fauci), teachers, bosses, and political leaders, among others, have huge sway over people’s actions and behaviors. If you’ve heard of the Milgram study,[6] you may be familiar with this concept. In that study an experimenter convinced volunteers to deliver increasingly more severe shocks to a “learner” who didn’t answer questions correctly. Fortunately, the learner was an actor who pretended to feel pain, when in reality there were no shocks delivered. However, it does show you how powerful the Principle of Authority is.
How authority is used in phishing: Using authority figures to trick users is very common and quite effective. Bad actors spoof the Chief Executive Officer (CEO) to demand that the Chief Financial Officer (CFO) wire money quickly in some spear phishing campaigns. When combined with urgency, people are often afraid to say no to their boss.
Leveraging authority to reduce phishing: You can use people’s natural trust of authority figures in your security program. For example, have senior managers make a statement about how important security is.
Most people value integrity. We admire honesty and reliability in others, and we try to practice it in our own lives. This is what drives the Principle of Consistency. People are motivated to remain consistent with prior statements or actions. If I tell you that I value the outdoors, I won’t want to be caught throwing litter in a park. One study found that if you ask people to commit to environmentally friendly behavior when they check into a hotel, they will be 25 percent more likely to reuse their towel.[7]
How consistency is used in phishing: Scammers take advantage of people’s desire to be consistent by asking for something small in an initial email and then asking for more later.
Leveraging consistency to reduce phishing: One way to employ the Principle of Consistency in your security program is to ask staff to commit to security. Even more powerful? Have them do it in writing.
It probably won’t surprise you to learn that people are more likely to say yes to someone they like. If a friend asks for help, I want to say yes, but it’s easier to say no to stranger. But even a stranger can be persuasive if they are perceived as nice. In the raffle experiment, people were more likely to buy raffle tickets if the person selling the tickets brought them a soda, and less likely if the person only bought themselves a soda.[8]
How liking is used in phishing: When bad actors spoof or hack an individual’s email account and then send a phishing email to that person’s contacts, they are using the Principle of Liking. They are hoping that one of the hacking victim’s friends won’t spend much time scrutinizing the email content and will just act because the like the “sender.”
Leveraging liking to reduce phishing: To be more persuasive with your staff, cultivate an “internal consulting” mindset. Be friendly and build relationships, so that people want to say yes when you ask them to change their behavior.
When people are uncertain, they look to others to help them formulate an opinion. Even when they are confident of their beliefs, consensus opinions can be very persuasive. This can be seen in the light dot experiment. In this study, individuals were asked how much a (stationary) dot of light was moving. It appeared to move due to autokinetic effect. Days later, the subjects were divided into groups. Despite very different earlier estimates, responses “normalized” to the broader group. If brought back to provide an individual estimate, individuals continued to provide the group estimate.[9]
How consensus is used in phishing: Adversaries exploit cultural trends. For example, when there is a natural disaster, there are often several illegitimate organizations posing as a charity to elicit donations.
Leveraging consensus to reduce phishing: Highlight positive security behaviors among other employees or report favorable statistics that indicate most people are complying with a security policy.
The more complex life becomes, the more likely humans will rely on cognitive shortcuts to make decisions. Educate your employees on how the Cialdini’s Six Principles of Persuasion can be used to trick them. Try implementing the principles in your own communication and training programs to improve compliance. Over time, you can build a culture that is less likely to fall for social engineering campaigns.
Watch “The psychology of social engineering: the soft side of cybercrime” presentation at InfoSec World v2020.
Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter.
[1] Trick with treat – Reciprocity increases the willingness to communicate personal data, Happ, Melzer, Steffgen, https://dl.acm.org/citation.cfm?id=2950731
[2] 2016 Enterprise Phishing Susceptibility and Resiliency Report, https://phishme.com/enterprise-phishing-susceptibility-report
[3] Microsoft Global Survey on Tech Support Scams, https://news.microsoft.com/uploads/prod/sites/358/2018/10/Global-Results-Tech-Support-Scam-Research-2018.pdf
[4] Kunz, Phillip R; Woolcott, Michael (1976-09-01). “Season’s greetings: From my status to yours.” Social Science Research. 5 (3): 269–278
[5] Worchel, Stephen; Lee, Jerry; Adewole, Akanbi (1975). “Effects of supply and demand on ratings of object value.” Journal of Personality and Social Psychology. 32 (5): 906–914.
[6] Milgram, Stanley (1963). “Behavioral Study of Obedience.” Journal of Abnormal and Social Psychology. 67(4): 371–8.
[7] Commitment and Behavior Change: Evidence from the Field Katie Baca-Motes, Amber Brown, Ayelet Gneezy, Elizabeth A. Keenan, Leif D. Nelson Journal of Consumer Research, Volume 39, Issue 5, 1 February 2013, Pages 1070–1084
[8] Regan, Dennis T. (1971-11-01). “Effects of a favor and liking on compliance.” Journal of Experimental Social Psychology. 7 (6): 627–639.
[9] Sherif, M (1935). “A study of some social factors in perception.” Archives of Psychology. 27: 187.