A new trend in phishing has been discovered: Cybercriminals are crafting ** personalized social engineering attacks that exploit user cognitive bias **, according to new research from Security Advisor. Another of the most interesting data of the study that we will see is that people with more training can fall more easily in these attacks.
First, you have to know that cognitive bias refers to the mental shortcuts that humans unconsciously take when processing and interpreting information, before making decisions. The CEO of SecurityAdvisor, Sai Venkataraman, has explained to VentureBeat that with this trend, cybercriminals manipulate a recipient's thoughts and actions to convince them to engage in risky behavior, such as accessing a link or entering sensitive information on a website.
People with training can get more into deception
Something to keep in mind when you want to be able to identify these more advanced attacks is that they can be based on previous user behaviors. The report examined data from malware, phishing, email security, and other attacks in the real world and found that more educated people can access malicious links more often than individuals with little or no training.
In this regard, it was found that 11% of users who had had a single training session clicked on a phishing link. At the same time, 14% of users with five training sessions clicked on the link.
How can this be possible? There are many reasons. Cognitive biases used to trick people with more training in computer security take five forms.
Five types of attacks that take advantage of cognitive bias
On the one hand there is the halo effect that uses a brand or company name that the user trusts or also uses scams such as fake invitations to university lectures to senior managers.
Second is the so-called "hyperbolic discount" who has discovered that there is a penchant for people to choose a reward that gives immediate results. Here is the typical phishing attack that promises that by accessing a link you can get a check with money or a discount for a computer. According to experts, this practice has been around for a long time but continues to attract victims.
On the other hand there is the effect of curiosity. It has been found in 17% of phishing attacks. In this type of attack, an executive may receive information about exclusive access to an unnamed event, and the desire to know more about the event could lead the executive into the trap.
On the other hand, the so-called recency effect It takes advantage of the tendency to remember recent events that appears on many mail servers. For example, information about COVID-19 vaccines that can be used to get the user to access a malicious link.
Finally, the authority bias it is based on the willingness of people to trust the opinions of an authority figure. An attacker using this bias can pose as a senior manager or even the CEO of a company.
SecurityAdvisor found that Senior executives are targeted 50 times more than non-senior employees, followed by members of IT security teams, who are attacked 43.5 times more than normal employees. The prejudices used are also different.
To address top executives, cybercriminals tend to employ the halo effect or curiosity biasWhile most IT security scams used the curiosity bias, to name a few.