Hackers gain access to computers and networks by exploiting the weaknesses in our cyber behaviors. Many attacks use simple phishing schemes – the hacker sends an email that appears to come from a trusted source, encouraging the recipient to click a seemingly innocuous hyperlink or attachment. Clicking will launch malware and open backdoors that can be used for nefarious actions: accessing a company’s network or serving as a virtual zombie for launching attacks on other computers and servers.
No one is safe from such attacks. Not companies at the forefront of technology such as Apple and Yahoo whose security flaws were recently exploited. Not even sophisticated national networks are home free; for instance, Israel’s was compromised using a phishing attack where an email purportedly from Shin Bet, Israel’s internal security service, with a phony PDF attachment, gave hackers remote access to its defense network.
To figure out why we fall for hackers’ tricks, I use them myself to see which kinds of attacks are successful and with whom. In my research, I simulate real attacks by sending different types of suspicious emails, friend-requests on social media, and links to spoofed websites to research subjects. Then I use a variety of direct, cognitive and psychological measures as well as unobtrusive behavioral measures to understand why individuals fall victim to such attacks.
What is apparent over the many simulations is how seemingly simple attacks, crafted with minimal sophistication, achieve a staggering victimization rate. As a case in point, merely incorporating the university’s logo and some brand markers to a phishing email resulted in close to 70% of the research subjects falling prey to the attack. Ultimately, the goal of my research is to figure out how best to teach the public to ward off these kinds of cyberattacks when they come up in their everyday lives.
Clicking Without Thinking
Many of us fall for such deception because we misunderstand the risks of online actions. I call these our cyber-risk beliefs; and more often than not, I’ve found people’s risk beliefs are inaccurate. For instance, individuals mistakenly equate their inability to manipulate a PDF document with its inherent security, and quickly open such attachments. Similar flawed beliefs lead individuals to cavalierly open webpages and attachments on their mobile devices or on certain operating systems.
Compounding such beliefs are people’s email and social media habits. Habits are the brain’s way of automating repeatedly enacted, predictable behaviors. Over time, frequently checking email, social media feeds and messages becomes a routine. People grow unaware of when – and at times why – they perform these actions. Consequently, when in the groove, people click links or open attachments without much forethought. In fact, I’ve found certain Facebook habits – such as repeatedly checking newsfeeds, frequently posting status updates, along with maintaining a large Facebook friend network – to be the biggest predictor of whether they would accept a friend-request from a stranger and whether they would reveal personal information to that stranger.