One of the aspects of cyber security that drew me to the field was the ever growing relationship between human psychology and the technology we use. We can technologise our way out of a lot of things, but our biology and brains are still hardwired to respond emotionally to certain triggers or events, in the face of all sense of rationality and objectivity.
These ‘hot states’ are fascinating from a security point of view – certain words in a certain order spoken to a person in a certain state of mind can cause untold damage – financially, emotionally and otherwise.
Scammers, hackers and malicious actors are well aware of this, and make it their job to engineer and manipulate their targets into ‘hot states’ where they will act with compulsion and emotion. This is not a recent development of course, social engineering has been around forever, as demonstrated by the myth of the Trojan Horse, or in more recent history, the man who sold the Eiffel Tower twice, or the classic ‘Nigerian Prince’ email scam.
However there is a new scam on the block doing the rounds; the ‘Royal Mail’ scam:
- Individuals will be targeted with a spoofed text to rearrange delivery.
- The text encourages targets to pay a small fee to schedule their redelivery and enter their bank details.
- The attacker then uses these details to pose as the target’s bank, under the guise of ‘helping’ to secure their account from ‘unauthorised transactions’.
- The attacker then informs the target that they have to close their current account, but have opened a new one in their name – all the target needs to do is to deposit their balance into the ‘new’ account (which is actually the bank account of the attacker, or a proxy account)
Of course, there is no new account. There are no unauthorised transactions. It’s a carefully constructed chain of psychological and confidence techniques to establish rapport and authority in the guise of helping the target against the mystery assailants.
The entire scam is presented as legitimate – the attackers have gone as far as to set up a spoof clone of the Royal Mail tracking service in order to add further legitimacy to the scam. Notice the lock in the URL field; with SSL certificates enabling the HTTPS link, it further cements the facade of legitimacy:
This is the perfect storm to put someone into a hot state and get them to react emotionally and irrationally into complying.
You might be sitting there thinking ‘what an idiot, how could anyone fall for something so obvious?’ But that way of thinking, or ‘scam shaming’ as I have taken to calling it, is part of the problem with our attitudes towards information security. Hindsight is 20/20 as they say.
This is a recent twitter post that went viral, posted by someone who fell victim to the Royal Mail scam:
Thankfully, they documented their experiences in order to help raise awareness and inform others. Great!
However this was one of the ‘scam shaming’ responses:
This attitude is supremely unhelpful in responding to incidents like this. Not only because flexing your sense of superiority online is almost always a bad look, but also because of the attitude it represents.
First of all, the ‘shame’ surrounding these incidents is part of the reason why cyber crimes are underreported – only 28% of cyberattacks against UK businesses were reported to the police in 2016, as reported by Barclays. It is much harder to assess, prevent and respond to threats if they are unknown. There is a reason there are numerous open source databases of common vulnerabilities, exploits and hacks, such as OWASP.
Professionals and the cybersecurity community need this knowledge to make accurate assessments of the state of the security landscape and fill gaps in the knowledge. If those who have fallen foul to these scams are immediately shamed for ‘falling for it’, victims will not want to come forward and share their experiences and information.
Second of all, nobody is immune to social engineering and hot states. If CEOs, industry leaders and utility companies can fall victim to these attacks, so can you. Despite the rate of our technological advancement, human brains still have some evolutionary mechanisms that are here to stay, for better or worse. With scammers getting savvier with their tricks of tech and of the mind, it’s no wonder that people get flustered and panicked when presented with false evidence that their life has somehow been compromised. Caution goes to the wind when a larger threat is detected.
Seeing as we’re bringing mums into this, my own mother fell victim to the BT scam a few years ago. The phone call she received from ‘BT’ was prior to a melanoma scan in hospital. She mentioned the fact she was understandably nervous about her scan, yet this did not dissuade the scammers one bit. If anything, they viewed her as the perfect target.
She was already in a hot state before any social engineering or psychological tricks had taken place. Luckily any and all damage was mitigated with cooperation from the bank security team and the police, but this just goes to show you the moral depths these scammers will lower themselves to in order to succeed.
It’s often touted that ‘humans are the weakest link in the chain’ when it comes to security, and to some extent this is true, as I’m sure we’ve all used weak passwords, or turned off 2FA for convenience in the past. However this attitude does not consider the entire picture – rather than blaming the victim for falling foul of these scams, we should be blaming the attackers for playing with our minds and psychology in increasingly complex and technical ways.
With the exponential rate of internet and smartphone adoption globally, our lives exist online now more than ever. It’s simply unreasonable to expect everyone to be 100% alert and vigilant 24/7. Yes, we should absolutely focus on shifting our security culture and awareness in that direction in the long term (I will discuss this more in future posts) but we have to accept that this will not be an overnight fix.
Until then, we need to understand how people fall victim to these incidents in order to learn from them, respond better to them, and prevent them from happening to others going forward. There is no place for ‘scam shaming’ in a security minded culture.