Governments and intelligence agencies are engaged in cyberwarfare on an epic scale. As issues discussed on the internet are frequently amplified in the media by organizations with vested interests, it’s become daunting for security pros to unravel the complex and constantly changing web of online allegiances. All this noise offers the perfect cover for cybercriminals, who are thriving today.
While fake news, manufactured outrage, and state-sponsored disinformation campaigns spread like wildfire through social media, enterprising criminals seize the opportunity to jump on the bandwagon. Fabricated and manipulated content designed to spike emotions has become a fertile breeding ground for fraudsters and thieves. Cybercriminals are increasingly using common cyberwarfare techniques and exploiting existing controversies for their own ends. Vigilance, education, and security awareness training are required to combat this growing and insidious trend. Here are five ways the bad guys prey on their victims:
1. Exploit cognitive biases.
We base our perception of reality on the mix of people we grew up with, agreed with, presuppositions that we've made, and the news cycles we observe. Everyone develops cognitive biases and they influence the way we process information, the way we learn, and the decisions we make. People are quick to seize on anything that confirms what they already believe and just as quick to reject anything that conflicts. These biases are frequently exploited by scammers.
2. Piggyback on disinformation campaigns.
Cybercriminals follow the path of least resistance and they recycle scams that work, dressing them up in the latest fashion. Disinformation campaigns present them with a virtual clothing store full of emotive controversy that has been tailor-made to get people clicking. Whether it’s a 5G conspiracy theory, fully made-up fiction, insidious mix-ups of truth and lies, an anti-vaccination movement, or an erroneous assertion about a prominent politician, there’s opportunity for bad actors to piggyback on these campaigns and exploit them to trick people into clicking and unwittingly downloading malware or offering up sensitive data.
3. Amplify debates.
The more chaos reigns, the louder the noise gets, and the easier it becomes to manipulate people. Big debates get people angry; they claim lots of attention and mental energy, and they distract everyone involved. Cybercriminals can use hacked accounts or bots to amplify existing debates, divide people, and sometimes cause them to drop their guard. When employees focus on an argument or issue that’s bothering them, they’re less likely to remember company security policies or apply good security hygiene.
4. Exploit controversial topics to spearphish.
Once someone becomes invested in a controversial topic, particularly if they have a strong opinion one way or the other, they develop an emotional connection bad actors can exploit to bypass logical thinking. A little social media research and comment analysis can highlight controversial topics that are likely to evoke emotional responses in potential targets. Cybercriminals can take existing phishing scams and redress them to touch on these topics, hooking victims into clicking on links they should disregard.
5. Force reactive thinking.
Traditional phishing scams often rely on a false sense of urgency to tempt victims into clicking without thinking. By exploiting disinformation campaigns and online controversies, cybercriminals can shortcut to reactive thinking. Victims are already primed to respond emotionally, and criminals can lure their victims into clicking or opening attachments without stopping to assess the source properly or consider the potential risk.
Building awareness benefits security
These cyberwarfare techniques are incredibly effective. This isn’t a simple matter of gullibility, we’re all susceptible to cognitive biases and we can all be conned. On a positive note, people can use the same logical, critical, and unemotional thinking that can help expose lies and disinformation to expose security scams. The underlying principles are exactly the same and people can learn them. Security education doesn’t just highlight a handful of scams, it aims to equip people with the skills they need to spot the fresh scams that will inevitably emerge tomorrow and the day after.
Start by slowing down and developing the ability to recognize when someone tries to manipulate you. Any message with a sense of urgency or an emotional appeal must get treated with greater suspicion. Always question the source. Is the source legitimate or reliable?
Instilling critical thinking in the workforce requires practicing security awareness. It’s also crucial to follow-up training programs with practical tests. Employ mock phishing attacks, with no foreknowledge, so you can truly assess the effectiveness of the training. Address weaknesses that are exposed with further training, and repeated failures may require stronger action.
State-sponsored cyberwarfare has created a difficult work environment for organizations trying to defend their networks. Cybercriminals are quick to learn and appropriate effective techniques, so by teaching employees to question more, check sources, and maintain a healthy dose of suspicion, organizations can combat this growing threat.
Stu Sjouwerman, CEO, KnowBe4