It’s often said that humans are the weakest link in cybersecurity. I find it hard to disagree with this statement given how many people fall for various scams each year.
According to the FBI, losses to online frauds reached $2.7 billion in 2018, nearly doubling the previous year’s figure.
This past year, the most prevalent crime types reported by victims were non-payment/non- delivery, extortion, and personal data breach. The top three crime types with the highest reported loss were BEC, confidence/romance fraud, and Non-Payment/Non-Delivery.
What is the reason for such a drastic overall increase in the amounts of losses to online scams? Why, despite cybersecurity spending growing, do more people become victims?
The explanation of this paradox, I think, lies in human psychology. As Jonathan Rusch argues in his paper on Internet frauds, there are two paths that lead to persuasion. To put it simply, one is based on logic and the other on emotions.
It is highly unlikely for a scammer to implement the first method because logic suggests not to participate in what clearly is a Ponzi scheme, not to give away one’s banking information to a stranger online, not to send money to anyone promising huge returns on it, etc. That’s why malefactors have one primary rule: make sure the victim doesn’t resort to logic.
The stronger the emotional response, either positive or negative, the criminal solicits from their victims, the higher the chance that the latter won’t be able to think straight.
One of the strongest feelings is fear. When one’s job is at stake, it becomes hard to be reasonable and easy to just follow the instruction from a supposed authority figure. This is what makes corporate email compromise so effective (in the graph above, it’s the bar that goes through the roof and straight past the ISS).
So, when a fake boss asks an employee to buy some gift cards, for many people, the thought process won’t go much further than to “this email looks kind of legit, I’d better do as I’m told”. It speaks nothing of the victim’s intelligence. It only means that the fraudsters achieved their goal, and emotions overcame reason.
Some scams are as simple as sending an email with a malicious link in it to hundreds of users in hope that at least some will click it—and worst of all, it works often enough. Others, though, require the criminals to put more thought into them and target specific individuals.
That second type of online scams is the more dangerous one. It relies on precision instead of the bulk and is harder for an average user to recognize.
But how is this precision achievable in social engineering?
“In our age, social media is an almost inexhaustible gold mine for hackers due to the fact that billions of people use social networks. Colossal data breaches on Facebook notwithstanding, too often users seem to do everything to help any potential perpetrator and to make themselves better victims,” says Dean Chester, co-founder of Cooltechzone.com, a website dedicated to online privacy and cybersecurity.
Some users put too much personal info in their profiles. The reason why nobody should do this is pretty simple, but I will spell it out anyway because of how important it is.
The abundance of information freely accessible online about a person gives any attacker an easier time ingratiating themselves with that person. A scammer who knows what school you graduated from has a wider range of people they might impersonate to gain your trust. So does a scammer who knows that you are a member of a fishing club.
That isn’t to say that a more reasonable approach to posting personal information online is a cure-all against imposter scams. Scammers are always on the lookout for vulnerabilities, and if they set their minds to cheat you, they will try to do just that. However, without much info to start off, they might be disincentivized and prefer to look for another victim.
Social media provides a way for scammers to boost its legitimacy in the eyes of the public. An unsolicited email written with lots of grammatical mistakes and containing suspicious links is going to set the alarm off for many people—though, unfortunately, not for all. A Facebook page with the same link promising unheard benefits, on the other hand, has the benefit of being placed on a legit website.
All the worse if the cyber criminals running it actually put serious effort into their scam. To that end, they might employ bots and fake accounts to create the appearance of normal activity. Most users tend to trust active pages more—which is completely understandable—and a large number of shares and comments are going to make them let their guard down.
As I see it, there are several ways to strengthen the weakest link in data security.
The first one involves constructing corporate cybersecurity systems in a truly foolproof fashion. That is, an employee shouldn’t be able to do anything that can potentially lead to data safety being compromised. It would include clicking any links in any emails, browsing any websites, and probably touching anything.
Yes, this one is not super feasible.
The other way is slower and less reliable. It implies raising awareness about various kinds of cyber scams and changing the very mindset about online privacy. As the number of the defrauded grows, it is time for every netizen to take this problem more seriously than ever.
Unfortunately, it is impossible to exclude the human factor from IT security unless we somehow exclude, you know, humans from IT as well. So we need to remember that the chain is as strong as its weakest link—and reinforce that link, however time-consuming it might be.