GSA Insights: How Cybercriminals Use Human Nature Against You
Picture this scenario: A low-level employee gets an email from the CEO, requesting an urgent wire transfer. The lower-level employee, not wanting to disappoint their superiors or their clients, comply and wire the money quickly, and without question.
Except it’s not the CEO. It’s a cybercriminal, this was a phishing attack, and now the company is out thousands of dollars. This scenario plays out all the time in businesses all over the world.
Here’s the thing: Cybercriminals aren’t always the super tech savvy hackers that they’re sometimes portrayed to be. They’re just skilled at using human nature against you. In many cases, these are also the cybercriminals who have done the research and know who to target.
Most employees want to do good work and fix problems quickly. These are great qualities to have — but they can easily be exploited. If you are in a hurry, you are more likely to make a mistake or miss a red flag — this is what cybercriminals are hoping for. Cybercriminals will often try to use these qualities, especially a sense of urgency, against you.
The attacks don’t need to look exactly like the one described above to prey on your sense of urgency (they don’t even need to be by email — you should take precaution with urgent requests over the phone and in person, too).
Another common attack that plays on your sense of urgency are fake notifications from an app or service you use saying your account will be shut down in 24 hours if you don’t take action. These usually have links to sites with fake login screens to steal your credentials. Some versions will download ransomware.
What You Can Do to Stay Safe
You may be asking what steps can be taken to help prevent these attacks. First and foremost, slow down, even when the request you get is urgent. Beyond that, there are a few precautions you should take:
- When someone requests something from you (whether it’s to send something to you or to click a link), take a sense of urgency on their part as a red flag.Of course, there are times when people are really in a hurry, but give any urgent request a second look.
- Double check the language and formatting of emails.Poor grammar and spelling should be a red flag. If the request is coming from someone you interact with regularly, pay attention to things like their wording and email signature — does it match what they usually use?
- Double check the sender email and any links in the email before clicking on anything or responding to any requests.Attackers create domains that look like other domains to try to trick you. For example, using emai1domain.com instead of email domain. At a glance, those can appear
- Don’t ever hesitate to contact the parties involved in the email (or your IT team).A 2-minute phone call to make sure the request is legitimate could save you thousands of dollars.
- Require voice to voice or in person confirmation of wire transfers of large amounts of money.Do NOT allow any exceptions to this rule under any circumstances.
- Implement multifactor authentication for every possible application and log in.This will prevent cybercriminals from accessing your account and using it in a more significant cyberattack even if they have your password.
- Make cybersecurity training part of your employee training.Social engineering-based attacks, like phishing, don’t always get caught by spam filters (especially when hackers have access to your coworker’s real account). The only way to stop them is by knowing what to look for.
- Foster an open environment around data security throughout your entire organization.Employees need to feel comfortable asking questions and raising a hand when they see something suspicious.
Some of these steps may seem like they will slow your productivity down, but it won’t be anything compared to the loss of productivity (and money) due to a data breach. Taking a few extra seconds before you act can be the difference between noticing something suspicious and falling victim to an attack.
Reed Wilson is the CEO of Palmetto Technology Group (PTG), an outsourced IT company based in Greenville, SC. PTG helps companies align technology to meet business goals.
Contact Reed at 864-552-1291 or by email firstname.lastname@example.org.