Old Hacks, New Tricks Blog

dan-burns-joins-securityadvisor

In the world of information security, hackers are designated based on their motives and objectives. Originating as an homage to old-school Westerns – where the “good guys” wore white hats and the “bad guys” donned black hats – today’s hackers are designated similarly, where the basic good-bad spectrum is divided between black hats and white hats. While today’s hacker hat rainbow has broadened to include grey, blue, green, and red hats to encapsulate the various goals they have and actions they partake in, the biggest difference exists between these two hats.

White hats are security specialists who are hired to help companies find vulnerabilities in software, hardware, and networks that cybercriminals might find and exploit. On the other end is black hats, who maliciously use their technical skills to search for vulnerabilities to illegally gain access into targeted networks to steal valuable data, destroy files, disrupt business, or conduct political and corporate espionage.

Black hat hackers often develop specialties, such as phishing, to more effectively hack into networks on behalf of sophisticated criminal organizations. While phishing is a technique that has been around for quite some time, hackers and their attack methods have become increasingly more advanced as they exploit human psychology to craft personalized attacks targeting employees.

hacks-new-tricks-img

Phishing continues, however in examining real malicious emails, we’ve discovered that hackers are leveraging social engineering and exploiting specific cognitive biases – or mental shortcuts humans take to more quickly make decisions – as a way to make their request to share sensitive data sound more legitimate or entice individuals to click on malicious links that will download harmful software. Leveraging specific cognitive biases influences employee behavior so that hackers have a better chance of accessing or acquiring what they set out to do. This has proven to be a very successful way for cyber criminals to gain entry into an organization.

Based on our analysis, here are some of the top cognitive biases that hackers tend to exploit.

hacks-new-tricks-img

Halo Effect: This is the tendency for an individual to have a positive impression of a person, company, brand, product, or service. If an individual receives a purchase order for acknowledgement from trusted vendor, this is an example of the halo effect.

hacks-new-tricks-img

Authority Bias: This bias states that people tend to attribute a greater accuracy to the opinion of an authoritative figure. If an employee receives a request from their CEO to share a password or pay an invoice, for example, they would be more likely to not question that request before fulfilling it.

hacks-new-tricks-img

Loss Aversion: This refers to an individual’s tendency to prefer avoiding losses to acquiring equivalent gains. An example of this bias in action can include acting on an outstanding payment to avoid late fees.

Much like the fictional American West, good and evil is not so clear-cut. Hackers’ newfound reliance on new psychological manipulation techniques make it hard for employees to know what is legitimate and what isn’t. While they might not intend to cause harm, they can unknowingly cause damage in responding to or acting on malicious emails. Unfortunately, one misstep can wreak havoc on an organization. By understanding how cybercriminals exploit human psychology, organizations can more effectively teach their employees how to recognize illegitimate requests or offers that are actually malicious attacks in disguise. Read our 2021 Report: Human Risk in Cybersecurity to learn more about the role cognitive biases play in cyberattacks.


Learn how SecurityAdvisor can help your team

Schedule some time to talk with one of our experts and they will show you how we can help your organization.

Get a demo Today