Why we need to understand the psychology behind cyber attacks

Guest blog by Ivan Kinash, CEO and co-founder at Licel #techUKCyber2023

We find social engineering attacks particularly shocking because they seem so new to us.

But actually while the medium - the mobile phone - is new, the tactics aren’t new at all.

Cybercriminals today have adapted to follow new currents, cultural frameworks, and technologies, but they’re still exploiting human psychology the same way our ancestors did. They know which emotions to target to elicit the response they’re looking for, whether that’s for us to click on a malicious link in an SMS or to get us to wire funds to a bogus account.

Cyber resilience in the UK public sector and beyond can be enhanced simply by recognising and demystifying the techniques that hackers use. Because if your employees or colleagues are aware of them, they’ll be in a much better position to take a step back and ignore (and then report) them.

History is full of social engineers. The principles behind deception have been honed for thousands of years. You can spy them within the Trojan horse that was wheeled inside Troy’s city walls. And you can hear them clearly in Hernán Cortés’ words as he tells Moctezuma that his soldiers are suffering from a sickness of the heart that only gold can cure.

Over a century before the infamous Nigerian 419 email that you’ve almost certainly received at least once in recent years, there was the Spanish Prisoner letter. Its purpose was almost identical - it was there to offer a once-in-a-lifetime opportunity for the reader, if only they could first help by supplying some funds.

The psychology here is obvious. The attacker is exploiting greed and a fear of missing out.

Attacks like this one ping on people’s phones daily, landing in inboxes, via SMS, or even in a WhatsApp message. And they can be incredibly damaging to individuals, businesses, and government departments. They can lead to bank accounts being emptied or to secrets being inadvertently shared.

What makes these ancient scams infinitely more scalable (and therefore damaging) in the modern world is the mobile phone.

In a little over a decade we’ve completely adapted to this “everything” device. Our brains have evolved to crave its updates because we know they might contain news of people liking our recent post, feedback on a recent job application, or even a new romantic match.

And so sometimes we can reach for the device in an instant without thinking. If anything, the mobile phone and the social media apps it contains have encouraged us to act more spontaneously.

Unfortunately, this is the ideal environment for attackers to exploit. They know that while most of us will ignore their scam, you might not. You might be busy or distracted when their payload pings. You might be jumping off the train at your station, a little bit late and flustered at the exact moment that their message arrives at your fingertips. And perhaps, at first glance, the contents of that message may look familiar - a natural continuation of a conversation you’ve been having at work or at home.

And so without scrutinising, it you open it and click on the link it contains.

The fast pace of modern life dictates that little time has been spent analysing what this current reality means for people. We don’t tend to talk very much about the everyday digital threats that people face.

But we should, because a successful cybersecurity posture is about two things:

Yes, it’s about utilising the best protection mechanisms out there. It’s about understanding what’s at risk and making sure that your business is protected. Earlier this year we published a guide to mobile application protection with the objective of educating developers about this.

Yet cybersecurity is also about empathy. It’s about putting yourself in the shoes of people who are facing social engineering attacks. If you’re an app developer, then this means thinking about how the user of that app will be interacting with it and making sure their data is secure. If you’re looking after cybersecurity within an organisation or government department, it’s about educating your colleagues about the tactics that cybercriminals use.

The mobile phone has made social engineering scams more scalable. And in the coming years AI will make them much more believable, too. There’s simply too much at stake, then, for us to not try to even the odds with cybercriminals.

A great place to start is increasing awareness of the not-so-new tactics attackers employ.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more