author photo
By Bruce Sussman
Mon | Jul 15, 2019 | 6:45 AM PDT

Famed hacker Kevin Mitnick learned early on to use emotion to manipulate and socially engineer his targets.

At the time, his targets were typically sysadmins, and the social engineering started with a phone call.

Hacker targets victims with fear

Mitnick says his favorite emotional tool was fear.

He writes about this in his book, "Ghost in the Wires":

"I would call the company I'd targeted, ask for their computer room, make sure I was talking to a system administrator, and tell him, 'This is [whatever fictitious name popped into my head at that moment], from DEC support. We've discovered a catastrophic bug in your version of RSTS/E. You could lose your data.' 

This is a very powerful social-engineering technique, because the fear of losing data is so great that most people won't hesitate to cooperate. 

With the person sufficiently scared, I'd say, 'We can patch your system without interfering with your operations.' By that point the guy (or sometimes, lady) could hardly wait to give me the dial-up phone number and access to the system-manager account."

Fear repeatedly got Kevin Mitnick access to a network so he could create a new account and install a back door to give him a secret way into the system.

And fear is what recently convinced employees to transfer $18.6 million to hackers in a single week after they were sure their CEO needed them to transfer money for a "highly confidential project."

Without the money transfers the project would fall through. That was the fear.

Security awareness advocate: 'check your emotions'

This is the type of situation KnowBe4 Security Awareness Advocate Erich Kron is constantly talking about.

He says a challenge for organizations now is that many underestimate the sophistication and urgency of Business Email Compromise (BEC) attacks which arrive primarily to the inbox as a phish:

"Sophisticated hackers have moved way beyond misspelled, poorly-formatted emails. Now, they turn the tables on employees, often by using fear as a trigger as if that person needs to act right now to avoid consequences for the organization or the employee."

5 emotions hackers and cybercriminals use against us

Here are five emotions hackers and cybercriminals often use against your employees, your C-suite and board of directors, and you.

1. Greed

Here's an example of a phishing email your employees might receive that uses greed to try to get them to click a link. You've got the inside track on a hot IPO if you click. 

social-engineering-stock-shares

This is your "last chance" to get in on this deal. If your investment does well, maybe you can finally quit your day job!

2. Curiosity

Here's an example of  a smishing message that came to an Instagram user on a mobile device.

social-engineering-instagram-fear

"OMG, you're really on the worst Instagram wall, someone put all your photos on there," says the message. And if that doesn't get you to click, then maybe the closing line will: "You can even see who added you on it!"

Can this really be true? Your end-users may become curious.

And the quality on this next "curiosity" example was low, but the significance was high. After the second Boeing MAX 8 crash, these emails came with a file you could open that claimed to be a leak of data about the risk of flying on these aircraft:

boeing-737-crash-phishing-example

And check out the malicious payload the file delivered, according to the 360 Threat Intelligence Center:

boeing-737-crash-phishing-payload

And for our last examples of how hackers use curiosity to kill the cat—er, network—check out these unexpected emails and attachments that appear and make you wonder if someone at the organization actually needs this forwarded to them.

social-engineering-invoice-curiosity

And here's one that could make your employees wonder: did the State Department accidentally share some confidential information with me? Yes, but only for a "short time," according to this phishing example:

phishing-attack-microsoft-one-drive-1

And watch for sophisticated fake invoices which look really good and contain legitimate logos.

3. Urgency

Hackers use fake security alerts like this one—exclamation mark and all. Clearly, it's urgent: "Virus Infection Blocked... Virus will steal and delete your iCloud, Photos and contacts if you don't Act Now."

social-engineering-apple-smishing-VPN

And how convenient, there are two buttons you can click to get phished.  Choose Install or choose Cancel and you've been hooked by hackers.

Here's another urgent example that came in via text message or SMS:

social-engineer-smishing-AMEX (2)

With Card Alert mentioned three times, AMEX must really need to get a hold of you. Most employees may not notice the http:// is missing the "s" on the end, and honestly, credit card companies do send a lot of alerts these days.

4. Helpfulness

Studies have shown that most of us are willing to help, which is why campaigns asking for help are often very successful. Unfortunately, hackers and cybercriminals use major tragedies to appeal for help. But they are only helping themselves.

Here's an example from the New Zealand mosque shootings that killed more than 50 people in March 2019:

"Cyber bad actors are spoofing Westpac, which is one of Australia’s four major banking organizations and one of the largest banks in New Zealand.

These emails are NOT from Westpac and we advise anyone who receives one to forward it to phishing@westpac.co.nz. If you hover over the link you'll see it goes to a scam site called mothersawakening. The account number they supply is NOT the correct account for donations."

5.  Fear

And now, here we are, back with hacker Kevin Mitnick's old friend, fear. Hackers love to use fear against us. A security report against my American Express account? I'm afraid I'll get cut off from my account if I don't respond:

social-engineering-amex-form

To proceed, all I have to do is open and fill out the attached web form. That makes it so easy for hackers.

And how about the old "someone has accessed your account" phishing routine and you'd better enter your username and password to figure out who it was:

chinese-hackers-phishing-example

And there are many "account closing" and similar type of phishing emails, often featuring the actual logo of your own bank. 

The bottom line on hackers using our emotions against us is that they want us to make an emotional decision about acting "now" before we stop to think things through.

And KnowBe4's Erich Kron says this should be your litmus test when you are going through your inbox:

"If an email comes in and it triggers an emotional reaction—you should step back. That should be a red flag."

A red flag that cybercriminals are targeting you in an attack.

Learn much more on this topic by watching the SecureWorld web conference,  Human Firewalls: Fact or Fiction? on demand. Or join your cybersecurity peers at regional cybersecurity conferences in North America to build your network and share best practices.

[RELATED: Learn more about SecureWorld]

Comments