Nearly 800,000 people reported falling victim to cyberscams in 2020, according to the FBI, according to a Sept. 7 report by The Wall Street Journal. Hackers are able to dupe so many smart people by taking advantage of unconscious and automatic processes in the brain.
These processes cause humans to misinterpret information and make irrational decisions, according to the article, which cites Dr. Alana Maurushat, a professor of cybersecurity and behavior at Western Sydney University in Australia, and a host of cybersecurity experts.
Seven ways hackers use brain process against people:
- Loss aversion.
If hackers present something as a loss, the victim is willing to take risks to avoid losing it. Phishing attacks play on the fear of losing by telling targets they will lose a service or an item unless they verify account information or download a file. - Authority bias.
Humans inherently trust people in authority positions. Hackers use these biases by sending emails that appear to come from an authority figure that is known to make a recognizable request. - Urgency bias.
When people have to make a decision with a sense of urgency, they are usually not as thoughtful in their decision. Hackers trigger urgency bias by sending an email asking "Are you at your desk? I just sent you a wire request. Did you not get it?" This might make the victim feel like they need to work quickly or they might be in trouble. - Halo effect.
Hackers might pretend to be reputable brands to earn a victim's trust. In one example, hackers might impersonate an employee from a credit card company the victim banks with. The hackers might ask the target to click on a link to verify recent transactions. Since the target has had favorable experiences with the company, he doesn't question the request, and hackers will get him to log into his bank account. - Present bias.
Humans are more inclined to want small, quick wins or future, bigger rewards. Hackers can use the desire for instant gratification to dupe victims into thinking an email attachment is related to an award or prize. - Availability bias.
If a human hasn't seen a certain type of cyberattack before, the alarm bells might not go off. Employees may receive a lot of training to avoid being victims of email phishing attacks, but if a hacker calls asking for login credentials, they might not associate it with a threat. - Illusion of unique invulnerability.
This bias is triggered when victims think a bad thing is very unlikely to happen to them. In training manuals given to cybercriminals, hackers are instructed to target white males over the age of 40 because that demographic thinks they are less likely to be duped.