Psychology of the Phish: Leveraging the Seven Principles of Influence

[Music]

[Music] hi everyone uh it's a pleasure to be here presenting on this topic psychology of the fish uh can somebody just like ping uh ping on the chat just to confirm that you guys can see the deck and hear me speak perfect thank you all right so so the topic for today is psychology of the fish leveraging the seven principles of influence my name is shojo biswas and the bunch of letters after my name showed that i'm good at multiple choice exams uh in the in the security domain hopefully that translates into me being a better security consultant because that's what i am i'm a technical director at ncc group perhaps the largest pure play consulting

cyber security consulting firm in the world i have around almost 17 years of experience in risk management and infosec and i've kind of worked on both sides of the table i mean as an operator in security teams as well as an advisor to such teams and my experience has kind of spanned industries and organizations of different cyber city maturities uh that picture from 2010 is one example where i'm okay with deprecated information normally you don't want old information in matters concerning security one thing you'll you'll realize is i'm definitely not a psychologist right even though the topic of my presentation says psychology of the fish that's because i've always been fascinated by the psychological aspects of fishing and

this presentation basically combines lessons from my mba studies uh around influence marketing and with combined with my experience working as an information security professional so before i go into um the psychological elements of fishing i just want to address why is fishing popular so here i would like to start off with this quote by kevin mitnick obviously a very well known person in the infosec industry and he uh once mentioned that most of the computer compromises that we hear today use a technical spear phishing it's extremely difficult to defend against so even with a bunch of technologies and tools people still get phished because it's all about um exploiting normal human behavior so i mean if you have an email and

obviously everybody does you must have received emails like this right i mean very obvious phishing emails uh bad english kind of like some obvious red flags there but you may also have received emails like this which are definitely much more sophisticated right they do look like as if they're actually appearing from that vendor that is mentioned their amazon right so from exotic princes uh and dancers in distress right offering millions of dollars if you just like pay a few thousand dollars in processing costs right from that to targeted emails that spoof legitimate email addresses and replicate official templates phishing emails spam a wide maturity spectrum right and obviously the numbers are huge in and and i actually go back a few

years in 2017 76 of organizations were targeted by phishing emails and the same year around 1.4 million new phishing sites were being created each month i mentioned the sources here as well i mean these are very well known security providers wombat and webroot and uh i also and obviously if you if you work in security you're familiar with verizon dbir the verizon data bridge investigations report kind of very authoritative source of cyber security statistics so in 2018 phishing accounted for 32 of data breaches and almost eighty percent of cyber sap match and uh the final data point is actually not from any security vendor it is actually from federal law enforcement so the fbi said

that in 2019 business email compromise a specific type of phishing attacks caused more than 1.7 billion dollars in losses so obviously it's a very very lucrative industry uh lucrative obviously i'm i'm i'm saying that uh from the perspective of the fishers so i just want to kind of take a moment to discuss the economics of email fraud so the idea is that the popularity of fishing is driven not only by its success but its success relative to its cost in other words the time and effort and money that is put in and the the the returns from that investment are significantly higher so it's like if you think of it like any other kind of

business as long as the returns are significantly higher than the investments this is a practice that will continue and continue to grow so here here are some actual numbers around this and this actually goes back more than a decade so in 2008 researchers from uc berkeley and uc san diego they infiltrated the storm botnet a botnet as you know is like a collection of zombie computers right which have been kind of taken over by some external actor and can be used to run these phishing campaigns spank spam campaigns etc spam typically is harmless fishing actually have like a harmful component to it so they basically used the storm botnet to run fake fake spam campaigns i mean pretty much

fishing and they sent 350 emails over 26 days and made 28 sales of approximately 100 each right now on the face of it this seems to be very poor return on the investment right so 28 into 100 that's 2 800 in 26 days doesn't seem like much right but consider that this thing this this particular experiment only used 1.5 percent of the botnet so if like 100 of the botnet were used then that daily revenue would have increased to seven thousand dollars per day and this is just one botnet and one kind of phishing attack so in other words this is a lucrative enterprise and it doesn't cost much uh like with the use of mass emailing tools

right i mean that can be used for legitimate purposes for marketing for example and also people have access to mailing lists right our email addresses are all out there right because i mean there are people there are organizations which sell those email addresses right and that can be completely legitimate and sometimes those email addresses are also leaked maybe they are present on the dark net and available for pennies each so because of all these tools and information it is quite expensive it is quite inexpensive to carry out a phishing campaign in other words the roi for the cyber criminal is high and you can see the reason why fishing is popular not only because it is easy to do

but also there are there are legitimate uh there are not legitimate illegitimate returns which are significantly positive right as compared to the time and effort that is put in now i'll move on to the seven principles of influence and this is where i talk about the psychological elements of fishing so i want to start off by quoting john hanecock he was one of the original signatories of the declaration of independence and he mentioned that the great the greatest ability in business is to get along with others and to influence their actions and this is true of every human activity right whether you're selling something right convincing others to buy your product or service or convincing someone to click on a

phishing link it's all about influencing people and that is why i believe that there is a significant psychological lens that we can look look at like we can look towards fishing from so uh i mentioned earlier that i'm not a psychologist but i am going to leverage the kind of the the learnings from from this professor's teachings and this is somebody whom i encountered during my mba studies the particular topic was i think called leadership and organizational behavior so you can see that this person dr dr saldini is kind of the guru of influence marketing right he has worked at very well known universities he has authored new york times bestsellers and he has advised the

cream of the fortune 500. so unlike me he's definitely a psychologist now moving on to the seven principles of influence so these are specific principles that dr saldeny discovered and enumerated and i'm going to do i'm going to first discuss what that principle is all about and then i'm going to cite an example of how that influence how that how the principle of influence is exploited in phishing so the first one principle one reciprocity and again this is something that we all know right i mean it's a simple give and take so if you do a favor you automatically expect that favor to be reciprocated and there's a nuance to this so for example if you want something from

somebody it's always better to kind of do a favor first so you kind of build build up a bank of favors to kind of ask on when the time comes and uh there's also an interesting interesting element to this if you ask somebody for a favor and they refuse it chances are if you ask for a smaller favor later on they're going to agree so this is all it's all about like influence marketing and this is actually legitimately used by marketers and i'll give you an example so this is something that dr saldini actually uh demonstrated so he sent out christmas cards to complete strangers right people who have never heard of him and these strangers sent him cards back

in return also when people were asked to volunteer right for i mean they were they were asked to kind of commit to a particular time maybe like every week over over a year they were not willing to do so right because it's a pretty long commitment however if that request that original request by was followed by another one which basically said hey can you just volunteer for a few hours this week or next week the chances of success of people actually saying yes increase significantly it's all about like people refusing a larger favor but then agreeing to a smaller favor now here is an example of how that is used in phishing so an email promises to give access to

valuable information if you just do something maybe like download an attachment or click a link obviously these are malicious right so so an email which says click here to access your new salary after the latest pay revisions right in other words if you do something you expect to get something and this is how fishers exploit this principle of influence i i use a lot of these cat memes so hopefully you enjoy them so uh moving on to the second principle scarcity and again this is something that we kind of intuitively know right people want what is difficult to get so anything that is kind of rare that automatically is perceived to be very valuable and an interesting uh

interesting some interesting aspect of this is the fear of losing out is actually more influential than the joy of winning so it's i mean again these are these are things that we may have experienced in our daily lives but dr saldeny actually formalized this so again an example in real life so a tv commercial it advertised a product saying that over 500 sold in other words it is very popular right but it was actually more successful when it changed the advertising advertising to say only 25 left to sell in other words it is scarce in other words basically if you don't order now there's a chance of losing out and as i said the fear of losing out is more influential

than the joy of winning so not only is it scarce it is also something you can potentially lose out on if you don't act quickly so again this this tv commercial kind of showed uh how this particular principle can act in real life again a parallel in phishing an email stresses that a particular access is available only for certain action is taken within a short period of time in other words again kind of leveraging this fear of losing out so if you receive an email which says that install this patch this ms outlook patch otherwise you'll lose access to email so obviously you don't want to right you don't want to lose access to email that

is something that you need right that you absolutely need for daily work and that and this particular email this phishing tactic actually plays on that fear and obviously if you click that link and that is obviously not not not a security patch or any any upgrades that's actually malware that you may inadvertently install on your machine the third principle authority people defer to authority right whether i mean whether it is actual or even assumed in fact i've i've heard this uh quotation that with with a uniform and a clipboard in hand you can pretty much walk in anywhere i mean people are not going to question you right because it seems that you have that authority to be

in that place and again any any claims backed by such leaders are automatically considered as influential so again an example in real life so there was this experiment which is i think conducted in stanford university by professor in graham and this was like done in in 1961 early 60s right and he demonstrated that people if if they are if they get orders from somebody considered to be influential those people can act completely against their normal behavior in in in this particular case they were asked to kind of act as prison guards and be cruel to other volunteers acting as prisoners and they did that basically behave like that completely contrary to normal behavior again we

have actually seen this in wars throughout history right i mean if you if you think about it a lot of these wartime actors are often committed by the the common soldier but they're often acting on instructions from the superiors the holocaust was also an example of that normally people are not that cruel again an example in phishing so an email from the ceo and this is that business email compromise as i mentioned it instructs accounts people to make an initial payment so normally if an accounts payable receives such a request they would actually push back right most likely push back they may ask for additional confirmation they may actually call up that person to confirm

but just because this email seems to be coming from the ceo now it can be somebody impersonating the ceo and emailing from a different email account or it may be someone who has actually compromised the ceo's email account and obviously impersonating that person but just because that email seems to be coming from the ceo at the very top of the organization it is less likely for accounts people the recipient of the email to actually push back even if that request seems to be completely out of the ordinary so basically making payment to a vendor at a new account which in this case is obviously a fraudulent account it because it belongs to that criminal the cyber criminal who actually

sent that phishing email and once those funds are transferred they're immediately kind of transferred out and very difficult to kind of recapture and basically get back so again business email compromise particular kind of phishing which leverages this particular principle of authority principle four consistency i mean everyone is a creature of habit right we want to i mean if you think about it the way we do things they do not really deviate uh too much from one day to the other in most of our activities and in other words i mean if you make a request right which is in tune with how people would normally respond right maybe that is the kind of request that people already see a lot it

is less likely for that person to say yes and as an example excuse me charlie taught us this this is an exclusive chicago restaurant and they were facing a lot of problems with no shows right so people would call up to reserve tables and they just wouldn't show up and this is obviously harmful for the restaurant right i mean if a table is reserved that means that cannot be given to someone else and also maybe like if they have walk-in customers even they cannot access those tables excuse me so again this was a problem which was really eating into the the restaurant's profitability so what they did was normally if if somebody would call and

call to make a reservation the last thing that the person taking the call would say that yeah can you yeah can you please like call up to cancel if your plans change and that's it but what they did was they changed the phrasing a bit so instead of like making a request they elicited a promise so basically said that hey uh can you can you please uh ensure that you call back and uh in case your plans to can you please ensure that you call back and let us know so getting that yes response from that customer is basically an implicit promise and in general people like to keep their promises i mean politicians excluded

but this implied promise was actually helpful so people in case their plans actually change they would now actually call back the restaurant and inform them so basically that reservation can be now released for other customers so again this is something that is exploited by fishers and this is when you receive that email which looks like it comes from a familiar brand for example amazon right i mean pretty much the entire world orders from amazon so we are accustomed to receiving emails from amazon which says okay your order is being shipped your your order is on the way and stuff like that now the way fishers actually exploit this is when they send out an email which seems

to be coming from amazon it is less likely for the recipient to look closely for example since i mean since we pretty much order from amazon regularly if we receive an email saying an order is on the way even if we actually haven't ordered anything there is a high likelihood that we may not scrutinize it as closely as as we should and obviously if that email says that okay click here to confirm your address or something that's a phishing link right so again an email it says your amazon package on the way click here to confirm your shipping address this is a very common example of this principle being leveraged by being exploited by fishers

principle five consensus there is a lot of power in a crowd right i mean people tend to follow the crowd i mean if you look at like i mean like violent riots or like fans at a rock concert people tend to kind of follow the crowd they tend to kind of do exactly what their neighbors and their neighbors are doing and again there's something which is used in marketing legitimately so tv commercial says operators are standing by please call right you know when they have shown you the product they've shown what the product is capable of and if you like it please call up the number on the screen to order now their computer actually change the

wording so instead of saying please call they said if operators are busy please call again so what does this do it implies that there is so much demand for the product the lines the phone lines can actually be busy so even if it is not really busy the fact that they say it is that that kind of uh influences your decision making that gives you a pause to think that hey if the lines are busy that means a lot of people must be calling that means in general people believe that this is a good product so maybe i should order it too again something that is influenced by fishers an email says that how many of your

colleagues have actually done something and basically that means you should do it too so an email says okay x of y employees have updated their operating systems click this link to download so the recipient believes okay my colleagues have actually done this so this seems legitimate right therefore i should do it to otherwise i'm missing out right and that's why like uh and i lie and i love this meme particularly i'll tell you when to patch right mia so obviously not a fetching uh patching email or a pat it's obviously not a patching link or anything it's a malicious link or it can be a malicious attachment that you're asked to download and that can

really screw up your systems your computers principle 6 liking so this is our favorite set of friends and what this principle says is people make requests to people they like right and of course if that person likes you back the likelihood of that person saying yes to that request is higher and at the same time there's i mean if you think about it from the opposite opposite direction if somebody wants to be liked they are more likely to say yes and again there's something that we we definitely practice in real life uh normally your significant other will ask you for a bigger favor than your colleague i'm sure there may be uh like variances depending on how well you

like or your spouse likes you compared to your colleague but this is kind of a general fact of life and again uh example how this is used in phishing so an email from hr and again it is obviously not from hr but it asks a new employee who is eager to be liked for confidential information right as i mentioned that if somebody is eager to to be like they're more likely to respond positively to a request so an email which says we don't have your ssn in your in our records can you please provide us that info normally if if anybody receives an email like this from anybody else they would really think closely about it right most

probably they won't provide that information but if that person is a new employee and this seems to be coming from hr they're more likely to say yes in fact cyber criminals actually go dumpster diving right they look through like discarded materials and trash to determine who the new employees are so if there's like any kind of print out or anything which says okay these people joined on so and so dates phishing emails would be targeted to those employees because they are new right and they are more likely to respond positively to such a request now the final principle unity now this is something which was not in the original list he added it later i think in the next version of his

book which first came out with with these principles and the idea is that more we identify ourselves with others the more we are influenced by them so it has some similarity with liking but this is more about being part of a group right and this is something which politicians use a lot right they always want to show themselves as like candidates of the people right so they are they have the same kind of weaknesses the same kind of faults right as as the general population so nowadays right they are okay with like admitting to uh smoking pot right uh and like even like infidelity and all that because nowadays they kind of they kind of endear themselves to the

population by saying that hey i am a flawed individual i'm not perfect but well so so are most of you that means i'm just one of you i belong to this wider community and uh this was something which is also demonstrated by dr saldini so he asked his students parents to complete a questionnaire right and the response rate was very very low it was like around 20 percent but then he offered one extra point now one extra point on a single paper right in one semester is pretty much nothing as far as like it's its impact on the overall grade point average but just because they are i mean the parents and the students they are obviously part of the

family right and you want to kind of help out your family members you're part of that same group just because of that one single point that you offered the response rate jumped to 97 percent and again there's something which is exploited by fishers and email which basically tries to show that the sender and the and the receiver have a common interest right so basically they are they're part of that same larger community so an email which says as a fellow cat lover can you please sign this petition and the signing the link for that is is obviously not legitimate it's a phishing link so again these are the seven principles of influence and fissures exploit them and that is all about the

psychology of the fish the next section is all about protecting against fishing and before going into the specific tools and technologies and processes i would first like to take a moment to discuss the castle approach so the castle approach also known as difference in depth right and it's called castle approach because it's something which was implementing castles and the idea is to have this different concentric layers of security in other words if an attacker would be able to breach an outer layer hopefully an inner layer will be able to block them so in castles that would be like outer walls the moat inner walls watch stars guards right now today i think cisos are kind of the lords of the

castle and the castle here is obviously the the modern organization the modern enterprise and the treasure here is data right sensitive confidential data and here difference in depth is implemented through these layers of administrative physical and technical security administrative are all about the rules right the policies procedures etc and of course training physical secret is anything related to something that can be physically touched so like doors right fences alarms cameras and technical security are are all the hardware and software security controls now with technical controls around phishing and i'm not going to read through this uh right through this uh the entire content there are actually a lot of technical controls and they're they're pretty good right so you have

spam filtering which filters out emails based on specific criteria such as uh particular keywords or blacklisted urls it also kind of there's a way to kind of check uh check that email to see if it is a part of a of a mass emailing campaign and that can be indicate indicators of a fish so that is one way then you have ip black listing which blocks emails originating from specific ips or ip ranges so this can be like some things like blacklisted ips that are known to be used by fissures or they can also be like wide ip ranges such as may be used in north korea then you have web proxy so web proxy

doesn't block the phishing emails themselves but actually blocks access to the phishing sites so if you click on that link your ability to kind of go to the phishing site would be restricted because of the use of web proxy also web proxy also kind of run any executable content in a sandbox environment so they are not run on that user's browser which also helps keep them secure so these are some of the technical controls there are a few more sender policy framework or spf this is authentication mechanism to detect if the sender's email address has been forged so it looks like it's coming from amazon.com but with this control you can actually detect that it is not

so similarly dkim it's an additional authentication method which extends spf and then you have dmarc domain based message authentication reporting and conformance which is again an extension of spm spf and dkim so all of these are really good and in my experience as a security consultant i've seen a lot of organization actually enable these right but even after that this they're still getting phished and why is that and that is because as bruce schneier and he's a well-known cryptographer he puts it very eloquently amateurs hack systems professionals hack people in other words with all the tools and technologies you still have human error i absolutely love this cartoon i have used it in a number of my

presentations and if there are any daves in the audience apologies for that because that's what this person committing the human error is called but i think this is symptomatic of pretty much every organization that even with a lot of tools and technologies you cannot completely eliminate human error what you can do is definitely reduce it and the way to do that is through increased security awareness so a lot of you may be familiar familiar with this phrase i hear i know i see i remember i do i understand in other words if you actually fall victim to fishing that's that's a great lesson but obviously we don't want that right we want people to learn without actually falling

victim and the best way to do that is through use of phishing simulations this is where the security team kind of sends out mock phishing emails and see if people actually click on them and if they do they are provided remedial training and the idea is that when these phishing simulations are conducted over a period of time the the number of people who are clicking on this links would trend lower in other words the click-through rates would gradually go down right because hopefully people are learning from this experience of course this phishing simulation exercises shouldn't be conducted at regular intervals for example if security sends out a mock phishing email on the second monday of every month there's a pattern

here right people would automatically recognize this pattern and then they would be very they would recognize it as a mock phishing email and so obviously the learning the lessons learned would be less so the idea is that phishing simulation should be conducted but irregularly and they should leverage one or more of the principles of influence the seven principles of influence that i went through earlier and of course anybody who clicks should be required to take additional training now there are also some common indicators right which indicates phishing for example the upper case i for india it displays as lowercase l if you're using a sans serif fonts now you can try it out yourselves right if

you write something in the real font right the capital i and the lowercase l the uppercase i and the lowercase l they look exactly the same right and there are also some unicode characters which resemble characters in other words it may seem like google.com you know on on that on that phishing email but that oh maybe something else i mean very simple that oh maybe actually be a zero right but there are more sophisticated uh interpretations of this right if they're using different alphabets right not english alphabet if they're using like unicode characters so there may be something which closely resembles the letter o but it is not so obviously the way to kind of detect

it is not just click on link but actually visit that particular address type the address directly in your browser and a lot of these browsers actually nowadays automatically address this so one thing that security should always do is ensure that only latest browser versions are allowed right so ideally shouldn't be nobody in the organization should be using like an ancient version of internet explorer to browse the web in general people should distrust and verify right in in other words if something seems too good to be true like most things in life then it probably is and that goes for phishing as well now in this section i want to talk about a few anecdotes and lessons learned

and here i would like to start by quoting this great philosopher of four times can you west uh now he's called yea right or e however that is spelled i believe he changed his name officially and he once said i was never really good at anything except for the ability to learn so here are some lessons learned some lessons learned so this one was actually at a client and what we saw was like executives right they are often not take savvy but they have the most privileged access they kind of have the keys to the kingdom and that's why fishers specifically target them in fact there is a term for this right fishing specifically targeting

executives that is called whaling i mean as you know like the word phishing phi it actually comes from fishing fish fishing for information so i think whaling is used because it is kind of the largest fish but technically it is not a fish right whales are mammals but you get the general idea in fact in casinos right in las vegas for example the people who bet more than a million dollars they are called whales in fact they are the most attractive targets so same is the case with fishing the second example also uh seen at a client and this is that business email compromise that i mentioned that an email from the ceo to accounts

payable asking for a payment to be made quickly and that female payment was made and obviously that was a ferdinand payment so what's the what's the lesson learned here the lesson is that external payments should always be verified but the verification should be using a different channel in other words let's say an email comes with a request and the person the res the person who receives it asks for verification via email then the attacker can just like repeat their earlier request right because they already have access to that email so in this case if the original request came via email the verification should happen via phone call or maybe like a teams chat right some internal communication mechanism

but it should be a different channel because the likelihood of an attacker getting access to both is less finally this one the third third incident is actually something that i encountered myself so i received an email and i checked it on my phone and it seemed to be coming from craigslist and this happened after i posted something on craigslist right so obviously somebody saw that and that's why i was targeted and the symbol that i see on the left that's that's great that breaks this logo which i think is also the peace symbol anyway so this email said that your account has been hacked please check your password please change your password and i stupidly clicked on

the link but thankfully i am a security professional so something clicked in my brain and i took a closer look and i saw that email obviously was not from craigslist so the lesson to be learned here is that security professionals obviously we are not immune to phishing so we should be careful as well and another lesson i learned personally is that if i'm looking at things on a phone right the screen is much smaller than my laptop so it is less likely that i will look at things closely so that level of scrutiny is less if if that screen size is smaller so again something i think um all of you can learn from in conclusion and this is uh uh this is

i'm at the end of my presentation if you are part of if you're part of the security who's doing who's running these phishing simulations and you don't see that this the click-through rates are actually trending downwards that is a red flag that means people are not learning right so you should be pretty very vocal about it the second one i've seen this uh some play in some places that executors are falling i mean they are repeatedly clicking on this mock phishing links right and they feel kind of embarrassed and said that no no uh please excuse me please remove me from the next exercise and just because they're execs they feel they can say that

but as an enforceable information security professional you should you should push back right because of two reasons one is executors are actually targeted more right and if they are compromised the the harm to the organization will be more than let's say like an ordinary employee being compromised and secondly and executives may not actually like hearing this a lot of executives like who are non-tech executives they are often not so tech savvy as they believe themselves to be so this is another thing i think you should be cognizant of and finally even with all the tools technologies even with all the knowledge there's something you cannot eliminate and that is confirmation bias right if you are checking your own work that's

the conflict of interest so in this case it does make sense to bring in an external expert and obviously this is how guys like us security consultants make money but it does make sense to have that external expert come in ask the tough questions basically play the devil's advocate so my final word to you is and i'm quoting uh perhaps a very very very influential philosopher at times uh dilbert or rather his creator scott adams and he once wrote you don't have to be a person of influence to be influential in fact the most influential people in my life are probably not even aware of the things they've taught me i hope that this presentation has been

somewhat influential to you thank you happy to take any questions