Dr Lee Hadlington explains how various cyberattacks work and how cybercriminals are able to trick us time and again
“You might be well protected, but if someone in your office downloads the latest episode of Game Of Thrones from some shady site and brings it into the office on a USB, plugs it in… before you know it, you’ve got malware all through the system”
Why do we do what we do? The field of psychology has sought to explain human behavior for more than 100 years. Its breakthroughs have shed light on some of the most baffling, damaging and counter intuitive human habits, from violence, abuse and addiction to self-harm, obsessive compulsion and depression.
What can psychology tell us about cybercriminals and how their attacks work? What psychological levers are they exploiting in us to invade our lives, steal our data and disrupt our lives? And why do we seem intent on ignoring these threats?
We put these questions to Doctor Lee Hadlington - Associate Professor of Cyberpsychology at De Montfort University in the UK.
This is the second in a two-part interview with Dr Lee. In the first part, we ask "Why do small businesses turn a blind eye to their biggest threat?" and try to understand the ‘it will never happen to me’ attitude towards cybercrime.
“Simply put, I look at human factors in the context of cybersecurity and susceptibility to cybercrime.
When we think of the internet, we think of technology: software and hardware. We tend not to think about the human side: the impact of this thing that we’ve created and adopted as it permeates our lives. It impacts our cognition and our social interactions, and my area is one that’s starting to think more carefully about what it is, how it works and how it makes us feel.
Psychology has been around for many years, but the modern internet is only 20 years old – so its impact is new and ever-changing. Five years ago no one cared about data privacy because it wasn’t an issue, now it’s the primary concern of our time. [We spoke to Lee the day after Mark Zuckerberg appeared before Congress.]”
“There are so many potential things to exploit. For example, at its root, social engineering is psychology. The attacker needs not only to understand how we work as individuals but also how we work as individuals within a society and then exploit that.
Some people take more risks. They might go onto a website they shouldn’t, or they do it unprotected. Attackers exploit that. Even though cybercriminals might be trying to target people, some people are making themselves more susceptible to attack, because of their personality.
Many cyberattacks have similar properties. If you look at ransomware, phishing and even the old Nigerian Prince scam, the attacker is trying to get the victim to give something to them that is usually valuable. Or trying to keep something from you that is valuable, returning it in exchange for money.”
“For example, ransomware. I’m the attacker, I’m going to lock your essential files and, if you don’t pay me, I’m going to destroy them. You, as an individual, don’t want that to happen because it’s important to you: you need access to your email, Amazon account, PayPal account. So, there are two factors: the notion of resource and access to that resource. If someone restricts that access, that’s going to trigger something in you psychologically. That’s how that attack works.”
“The Nigerian scam is slightly different. It’s usually the promise of getting something for nothing - and we all like free stuff. Just put this money in your account and when we take it back out you can have 10% - and what person doesn’t want 10% of £10,000 or whatever is promised? Once someone’s bought into the principle, ‘fees’ suddenly materialise for the transfer of the money which you have to pay in order to receive the funds. People keep paying until they decide they’ve have had enough - and they never get any money.
This attack plays into scarcity and rewards – the prospect of getting something for nothing.”
“There is the ‘trapped abroad’ scam. You receive an urgent email from someone you know saying they’ve been robbed while on holiday and they need you to send them travelers’ cheques. They do it in summer because it’s when people have gone away. They make it urgent, so people don’t check in with the person by other means and leverage the emotional ties to a loved one in need.”
“Phishing attacks are becoming more sophisticated because attackers can portray themselves as someone you know [known as spear phishing]. They’re able to do this because they’ve already gained access to your email account or address book. This attack targets our trust. It aims to trick us into divulging information by posing as someone or an organisation we trust.”
“It’s clear that some attackers are very good at what they do and have obviously done their homework.
Success at social engineering is a skill which is honed over time. Those attackers learn what works and what doesn’t. Criminals will see what works and add their own take on approaches to improve it. So, hacks get better, more effective and more sophisticated over time.
People think of cybercriminals as kids in their bedrooms just trying it out, but these people are doing this as a business, so it’s no surprise that they research what works and what doesn’t.”
“Yes, I think that’s a good link to make. Even with phishing, we’re seeing more and more sophisticated ways to manipulate people and get their information.
Most of the time people can spot a scam – bad grammar, spelling mistakes – but the ‘in a rush’ factor means we might not notice or pay attention to the fact there’s a typo in the email. Criminals know that they can play on the fact that we’re increasingly pushed to be multitaskers, that time is short. They know that if they can create a sense of urgency, their attack will perform better as we make more mistakes when we rush.”
“We’re on the cusp of a lot of things. The internet and other technological issues are infiltrating popular culture.
The problem is that technology is often far in advance of the conversations society should be having. Technology comes first, the psychological reaction comes second. We don’t have enough time to research the effects, or potential effects, of new technology. It’s always created and made available unchecked, and we have to respond afterwards.
There are debates around artificial intelligence and how that will impact human interactions. We should have the debates before we make the products available.”
“Exactly! The IoT is just another layer to the security threat. People think, ‘the internet of things sounds great, let’s do it!’ But they don’t think: ‘there might be some risk, there might be some threats, let’s not do anything until we’ve actually understood what we’re going to do.”
“Most people are oblivious to the risks that are online.
There are still people who think it’s a good idea to have single passwords for multiple online accounts - or share passwords. If attitudes were changing that wouldn’t be the case.
A recent study shows that within a local region, 70% were in the ‘at risk’ categories (for example: businesses, 16-25yearolds, and the elderly) for cybercrime. It wasn’t just old people either. And it wasn’t just young people. It was across the population – 18-60.
People think that young people are the best adjusted and equipped for life online, but I think it’s the young population who are most at risk. It’s pretty simple: if the internet is where the dangers are and being online makes you vulnerable, the more you’re online, the more at risk you are – especially if you trust the internet, which young people seem to.”
“It’s not gullibility, it’s a lack of awareness about the risks.
If I said to you, ‘leave your door open’, you’d say ‘shut up, I’ll get robbed!’ But if I said ‘go to the local public Wi-Fi and check your bank details’, you’d probably do that. ‘It’s on my phone, it’s secure, fine’.
We know that people can intercept that Wi-Fi to snoop, get into your device or gather your information, but other people don’t know, so they continue to do it. Not enough people know these threats exist and, until they do, they’ll continue to be the victim of new and innovative approaches to cybercrime.”
“It’s all about general awareness – a holistic approach to cybersecurity. Most individuals tend to compartmentalize it: ‘I have cybersecurity at work and then I have cybersecurity at home – I’m covered’.
But this is a misnomer: an individual can introduce their own risk into the workplace and vice versa. We need to treat cybersecurity as holistic to the individual: is every piece of hardware and software they use, and every action they take everywhere, secure? Because every action can impact multiple places.
And everyone needs to be secure. You might be well protected, but if someone in your office downloads the latest episode of Game Of Thrones from some shady site, brings it into the office on a USB and plugs it in… before you know it, you’ve got malware all through the system. Cybercriminals only need a 1% gap and they’re into 100% of the system.
It is absolutely essential to educate employees about the potential risks because, if you don’t, you and your business are open to attack.”
Dr Lee Hadlington is Chartered Psychologist and Associate Professor in Cyberpsychology and within the Health and Life Sciences faculty, at De Montfort University, Leicester in the UK.
His research covers the psychological effects of various aspects of the internet and, in particular, cybersecurity. His research publications include: Is Media Multitasking Good for Cybersecurity?, The ‘Human Factor’ In Cybersecurity: Exploring the Accidental Insider and Exploring the Psychological Mechanisms used in Ransomware Splash Screens.
Security breaches due to cybercrime increased by 27.4% in 2017. Avast has developed specific antivirus solutions with advanced threat detection, which supports businesses and their employees.
Learn more about our managed endpoint protection software for small businesses.
How SMBs can keep data and devices protected - no matter where work is being done.
How organizations can become more cyber resilient, and how they can fix blind spots in their cybersecurity strategy.