Cybercriminals are continually evolving the methods they use to trick us into taking actions we shouldn’t take. Enticing us to open infected email attachments, click on harmful links, transfer money, disclose our passwords etc. These attempts can be made across various platforms and technologies like email, social media, text messaging, phone calls, etc. They all seem like very different approaches, but they do share one thing in common: the manipulation of emotion.
Humans, for better or for worse, base decisions on feelings rather than logic. In fact, “behavioural economics” is a whole field of study on this concept. It blends elements of economics and psychology to understand drivers of behaviour and decision-making.
Emotional triggers are used in cyber attacks to drive our actions, and several can even be combined in one attack to increase the effectiveness of the attempt. Luckily, we can stop manipulation of our emotions if we know what to look for.
Arguably the most common emotional trigger used in cyber attacks is driving up anxiety, scarcity and fear. The idea being to hurry you into taking a desired action. A common example of this type of manipulation would be a text message claiming to be sent from the Tax Office, demanding monies owed, and that jail time is likely if your debts aren’t settled immediately. Another common example is an email supposedly from a boss or CEO demanding sensitive documents be sent to them or a random invoice be paid at once.
Anger can be used to drive action from you. For example, a message might be about a social or political issue that many people feel passionate about – “Check out what this group or corporate giant is doing! Disgusting! Help us fight it by donating/signing this”.
The well-known proverb “curiosity killed the cat” warns of the risks associated with unnecessary investigation and this can apply to cyberattack attempts. This emotional trigger is used in an email or text ‘notifying’ a package couldn’t be delivered to you or that your payment couldn’t be processed. Even though it doesn’t ring a bell, you may still be curious enough to click on the link provided or submit information requested to learn more.
Threat actors also try leveraging the existing trust you have by impersonating large brands, reputable charities, or even the name of someone you personally know. If received contact is unexpected or out of the ordinary, always reach out directly to the organisation or the person you know to validate whether the received contact was genuinely from them.
The old adage applies here: if it’s too good to be true, it probably is. An old but effective method of scamming money or identity information is to send a message posing as the victim’s service provider, thanking you for your payment or loyalty. And you’re eligible to receive a reward or gift. All you need to do is click the link and provide your information or credit card details to pay the small shipping fee to receive it. Sadly, there’s no reward or gift; just a stolen identity or money.
Empathy / Compassion
Your kind-heartedness can also be taken advantage of. For instance, cyber attackers will follow a major natural disaster with a wave of emails to potential victims posing as well-known charitable organisations, asking for donations.
By understanding how feelings can be manipulated, you are in a better position to recognise emotional triggers and stop attempted cyberattacks, no matter the appeal or the method used.