I recently spent time speaking with IT leaders at CDW’s Protect SummIT in Philadelphia and heard a common theme: Organizations across the U.S. are incredibly concerned about the threat posed by social engineering attacks. All too often, leaders I speak with tell me that their organizations had recently fallen victim to phishing attacks that requested accounting staff to initiate urgent wire transfers. It’s not uncommon for me to hear about a loss of hundreds of thousands of dollars to attackers.
In fact, email-based attacks are a major threat to organizations throughout the U.S. The FBI’s Internet Crime Complaint Center estimates that email-based attacks cost U.S. businesses more than $1.2 billion in 2018.
Understanding the Email Threat
Social engineering attacks are nothing new. History is full of stories about con men who preyed on gold rush miners, investors and the elite, all without the assistance of digital communications. Even Sir Isaac Newton found himself tracking down counterfeiters and confidence men. Modern communication tools have only amplified the ability of these attackers to reach deeply into organizations.
The tools of the trade remain the same. Phishing attacks often adopt an air of authority by impersonating a senior leader, such as a CEO or CFO, and reaching several levels down in the organization to someone who would naturally fear that person. The fake orders the attacker sends also create a sense of urgency, implying that acting quickly is crucial to the continued viability of the organization and that the victim’s job is on the line if they don’t act quickly.
It follows that people fall prey to these tactics, as they speak directly to an instinctual drive to interpret and predict the social cues of others. This drive, which psychologists refer to as “theory of mind,” is an essential individual capability to navigate the world. The ability to think about the motives and intentions of another person helped tribes ensure everyone did their fair share to enjoy the reward of the hunt. Unfortunately for us, turned on its side, theory of mind is a weapon that social engineers use adeptly. Appeals to authority, implied risk to an individual’s livelihood, and combinations of these and other factors quickly defeat the mental defenses of many targets.
Building Resilient Defenses
Existing defensive mechanisms do help to combat this threat, but experience tells us that they’re not sufficient to fully protect us. We can install content filters and deploy awareness campaigns, but employees still fall victim to these attacks every day. If we want to see different results, we need to act differently. We need to pull the same psychological levers in employees that attackers use and build the resiliency and willpower necessary to withstand even the most persuasive attack.
The key to doing this is to activate two natural human desires: to obtain rewards and to avoid punishments. While employees who click on the most obvious phishing emails require some form of corrective action, we also need to provide incentives to help employees resist attacks.
For example, we know that wire transfers are the most common target of phishing attacks because they can involve large sums of money and are generally irreversible. Organizations should mandate dual-authentication policies that would help insulate them from these attacks. In other words, organizations should never allow a single electronic communication to both dictate and authorize a transfer of critical assets without an accompanying confirmation or validation. Whatever procedures are adopted, they must be followed, even in the case of an emergency. If an employee receives an improper request, he or she should be required not only to question it, but also to report it to the security team. Such policies remove the psychological stress placed on the user and provide a clear mechanism to mentally sidestep these types of attacks.
Organizations that implement a carrot along with a stick will establish stronger buy-in and participation in their security programs. Praise employees who report improper requests and mention their diligence in performance reviews. Provide those who consistently fail to detect and respond to security violations with appropriate corrective guidance. The objective is to create a system of rewards and punishments that is strong enough to override the natural instinct to be helpful and respond to perceived authority.
Social engineering attacks aren’t going away. They’ve been with us for centuries, and while the tools of the trade have indeed evolved, the psychological response remains the same. The only way we can successfully combat these attacks is to understand them deeply and use the same principles to defend our organizations.