A good criminal needs to know what makes people tick. There is a great deal of psychology involved in criminal activities - especially when it comes to establishing contact with potential victims.
Many cyberattacks are successful because cyber criminals misuse human interaction online. For example, cybercriminals send fake invoices to retrieve passwords or fake text messages from a parcel service to cheat victims out of money. Humans are therefore usually the weak link. Cybercriminals know this like no other and use psychological tactics to trick victims; we also call this social engineering.
But why do people click on dangerous links en masse, when we know the risks? And why are we so quick to give our confidential information to cybercriminals? According to behavioural researcher Robert Cialdini, there are six universal principles of influence that determine human behaviour. Social engineers use these principles of influence to manipulate their potential victims and induce certain behaviour. The six principles of influence are: reciprocity, consensus, consistency, sympathy, authority and scarcity.
In my book ‘Cyberdanger’ (2019, Springer, English updated version from the original Flemish edition ‘Cybergevaar’ published in 2013 and also available in German ‘Cybergefahr’) I always described that any cybersecurity issue or problem is a direct result of a combination of technological and human factors. Most malware and cyberattacks would not stand a chance without naivety, curiosity or other human weaknesses such as the six principles laid out in this article.
In my book it’s described as Willems’ (Second) Law : CSP = TF x MF
Where CSP stands for a cybersecurity problem, TF for the technological factor (malware, vulnerability, exploit, etc ) and MF for the human factor (human behaviour).
Besides these psychological tactics, cybercrime also has a psychological impact on victims. Most people think that the impact of an online crime is smaller, but recent research by the NSCR shows this not to be the case. Digital crimes appear to have a similar impact on victims as traditional forms of crime. Generally, people find it difficult to understand that someone can become a victim of cybercrime. This while online crimes take place on a large scale and anyone can become a victim. Due to the lack of understanding, victims of online crime are more likely to experience victim blaming. Victims receive reproachful comments from friends, family or colleagues as well as random strangers on the internet who are known for getting on a high horse, while in reality cybercrime can happen to anyone. It is therefore important to raise the level of knowledge about online crime so that victims can count on support and recognition. An e-learning training course, such as the G DATA Security Awareness Training, is ideal for this.
In addition we shouldn’t always blame the victims too hard. A user is indeed a weak potential link in your network environment. But instead of pointing fingers and bemoaning the situation, one might as well turn this perceived liability into an asset and offer training and education to the users. Governments in the EU have created some anti-phishing commercials and this can and should be applauded.
As a lot of cyberattacks are successful due to human error, it is important to pay more attention to the psychological aspects. For example, little is known about the impact of cybercrime on victims. In addition, more scientific research needs to be done on how to prevent people from clicking on links and taking the correct decisions which ultimately may reduce the number of victims of online crime. Maybe the ultimate solution could be to use Artificial Intelligence (AI) to make the right decisions for us and to make software much more secure by design from the beginning. This is already happening but it still will take a lot of time to arrive in a safer world.
Image credit: Pixabay