Has Someone
Hacked Your Heart?

Cartoon Social Engineering

Cartoon Social Engineering: Phishing shark - click opens bigger version

Download Cartoon (JPG, 325 kB)

Has Someone Hacked Your Heart?

A cyberpsychology study commissioned by Kaspersky Lab shows that cybercriminals are exploiting human weaknesses to get to confidential information

Social engineering revolves around people and their trusting abilities. Cybercriminals use traditional espionage and psychological methods to hack (or influence) people, rather than computers. Phishing emails leverage criminals’ knowledge of the human psyche’s weak points to wreak havoc across the Internet. These emails exploit our interest in sensation—particularly surrounding celebrities—or promise lucrative profits. Their goal is either to infect a computer with malware or to persuade users to reveal sensitive data, such as personal bank details or confidential information. Using findings from cyber psychology, in addition to implementing antivirus solutions, can protect against cyber fraud[1].

“In social engineering, cybercriminals exploit fundamental patterns in the human psyche and use them in activities like phishing,” explains Dr Astrid Carolus, media psychologist at the University of Würzburg. “After all, cybercriminals understand what makes people tick—and exploit it. The way we think and feel makes us targets. Our need for belonging and trust, as well as our willingness to help others, human curiosity, and our respect for authority, make us vulnerable to social engineering.“

Psychology as a Basis for Social Engineering

Trust harks back to the fundamental trust that every human being learns during the first two years of life. People trust their friends, for example. A familiar person is trusted—even if we don’t know them well—more than an unfamiliar one[2]. This can, however, be a disadvantage in the digital world. “If an online offer or piece of information sounds too good to be true, users should exercise particular caution. Even accepting Facebook friend requests from people you don’t really know can be a mistake. As “friends”, these people can access all kinds of valuable information. People should only friend people on Facebook that they really know—and know well,” says Holger Suhl, General Manager DACH at Kaspersky Lab.

Kaspersky Lab: 30 Percent of Attacks Are Financial

Another weak point in the human psyche is authority, the efficacy of which is borne out in phishing. Some phishing attacks have now become so professional that it is often difficult for even experienced Internet users to recognise them as such. People tend to place more trust in emails that appear to come from their company’s IT departments, even though they don't personally know the senders[2].

People also view banks and financial institutes as authorities. Phishing mails disguised as official emails from banks are now part and parcel of cybercriminals’ standard repertoire. These emails ask users to enter sensitive login data. A current study carried out by Kaspersky Lab[3] indicates that 41 percent of European users have recently received emails from banks requesting them to reveal confidential information, such as passwords. In 2013, more than 30 percent of financial phishing attacks targeted customers using online banking and payment services, as an additional survey carried out by Kaspersky Lab[4] showed.

Only users of social networks were targeted more by phishing attacks during the period studied[5]. Online fraud targeting users of social media seems plausible from a cyberpsychological perspective when we take account the aforementioned human desire for a feeling of belonging.

From Traditional Nigerian Spam to Modern Spear Phishing

Curiosity is another fundamental characteristic[2] exploited by cybercriminals who use emails, texts or messages containing harmful links or infected attachments (such as PDF documents, for example). Curiosity increases the chances that users will open harmful attachments, thus infecting computers. People’s natural curiosity is exploited particularly during spear phishing, a method in which criminals research users’ interests before an attack and then send phishing mails specifically tailored to their victims.

The final fundamental behavioural characteristic exploited by cybercriminals[2] is helpfulness. Probably the most famous example of exploiting humans’ desire to help others involves the well-known Nigerian spam emails. One example from the past year illustrates the social engineering aspect: criminals purporting to be members of the International Red Cross assisting in the Syrian conflict sent emails to users appealing for help[6].

Digital Education Against Susceptibility to Social Engineering

“Studies[7] show that more women tend to click on phishing emails than men,” explains Dr Astrid Carolus, a media psychologist at the University of Würzburg. "This phenomenon is possibly due to differences in their levels of knowledge. On average, men are still more comfortable in the digital realm than women. Having said that, however: there is hope! A study has shown that training could almost halve the rate of phishing victims.”

“Findings from cyber psychology suggest that users in the digital world are easily influenced,” says Holger Suhl, General Manager DACH at Kaspersky Lab. “When it comes to IT security, we must, therefore, further emphasise the importance of using common sense, particularly in the light of people’s susceptibility to social engineering and of future technical developments. In both the corporate world and for private users, early internet training should be essential, whether it’s as part of a school class or mandatory staff training in IT security. There are a lot of ways to get the message across.”

Sources

[1] www.kaspersky.com/cyberpsychology

[2] Perceived Online Safety – Current state of research & desiderata, Schwab & Carolus, 2013

[3] The survey was commissioned by Kaspersky Lab and carried out by B2B International in 2014. A total of 11,135 users from 23 different countries participated, including 2,821 from Europe.

[4] http://www.viruslist.com/de/analysis?pubid=200883849

[5] http://newsroom.kaspersky.eu/fileadmin/user_upload/de/Downloads/Pictures_etc._NOT_for_Media_section/Kaspersky_Lab_infographics_financial_phishing_targets_2013.jpg

[6] http://www.kaspersky.com/de/about_kaspersky/news/spam/2013/Nigeria-Scam-Welle_aus_Syrien

[7] Scientists from Carnegie Mellon University have published the results of their experiments on phishing. According to their findings, there are differences between the sexes. On average, 54.7 percent of women click on phishing emails, compared to 49 percent of men. The researchers used a mediator analysis to identify the different levels of knowledge among men and women. After training, the average percentage of phishing victims fell from 47 to 28 percent.

Source: http://lorrie.cranor.org/pubs/pap1162-sheng.pdf — Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Cranor, Julie Downs: Who Falls for Phish? A Demographic Analysis of Phishing, Susceptibility and Effectiveness of Interventions, Carnegie Mellon University 2010

About Kaspersky Lab

Kaspersky Lab is the world's largest privately held vendor of endpoint protection solutions. The company is ranked among the world's top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.

Media Contact

essential media GmbH
Florian Schafroth
florian.schafroth@essentialmedia.de
Tel.: +49 89 747262-43
Fax: +49 89 747262-17

Landwehrstraße 61
80336 München

Kaspersky Labs GmbH
Stefan Rojacher
stefan.rojacher@kaspersky.com
Tel.: +49 841 98189-325
Fax: +49 841 98189-100

Despag-Straße 3
85055 Ingolstadt

About Cyberpsychology:

Our Psyche Under the Influence of the Internet

The Internet has become today’s defining medium and considerably influences the behaviour of many people. Our experiences in social media, our relationships with end devices like smartphones, tablets and laptops, and the ways in which our immediate physical environment is being artificially expanded by “cyberspace”, are all part and parcel of the field of “media psychology”.

What are social apps, online videos, Internet communities, online shops and chat forums doing to us? If, in the 1960s, TV was postulated as a “second-hand reality”, what effect will the increasing electronic networking of humanity with a variety of increasingly intelligent technologies and end devices have? Are our online lives riskier than our real ones? Do we need digital risk literacy? Could some of us already be cyberpsychos?

Kaspersky Lab researched this question in collaboration with Professor Dr Frank Schwab and Dr Astrid Carolus from the Working Unit for Media Psychology at the University of Würzburg, and will be publishing its findings in an occasional series.