A thorough investigation of social engineering and hacking human psychology is a topic for an entire book on its own, here we’ll just focus on the highlights to bring an understanding of the basic characteristics that make us so susceptible.

A well-crafted phishing email has the following characteristics:

• It’ll blend in and be part of the normal communication flow. We’re used to receiving emails about a parcel delivery, or a notification from our bank, or a reminder from our boss, so a fake email with the same characteristics is less likely to raise our suspicions. It has the right logos, structure, format, and it looks like the expected sender so we’re more likely to take the requested action.
• It’ll appeal to our emotions. The most important part of any social engineering endeavor is to bypass the cold, logical thinking part of our mind (Cerebrum), and activate the emotions and the “fight or flight” center (Amygdala) so that we take actions we wouldn’t normally contemplate. Some approaches will appeal to greed / reward (“click here for free tickets”), some to shame / embarrassment (“I’ve got video recordings of what you did last night”), or fear / dread (“I need you to transfer this amount now or you’ll be fired”). The most common appeal is urgency; when something needs to be done “right now”, we tend to skip past our normal, suspicious questions and just get it done, often to avoid feeling the uncomfortable emotions mentioned any longer.
• It’ll have a requested action that’s not too unusual. Examples include providing personal details to your “bank”, something we remember having to do when opening an account in a new bank or resetting our network password by clicking a link and being presented with a normal looking sign-in page.

The whole effect of an effective phishing lure is short-circuiting our questioning rational mind by invoking emotions and urgency and providing an easy way to “fix the issue” quickly.

This leads us neatly to the next step – the importance of security awareness training for all your users.

This cannot be understated; you cannot build a cyber-resilient organization without involving every single person who works there. This starts with the basic awareness of asking someone unknown who isn’t wearing a badge in the office to identify themselves, and if the answer doesn’t stack up, calling security.

When someone calls you claiming to be from the IT helpdesk and asks you to approve the MFA prompt you’re about to receive on your phone, don’t assume they’re telling the truth. Always double-check their credentials first to ensure that it’s a legitimate request.

What you’re trying to foster is “polite paranoia”, making it normal to question unusual requests, and understanding the risk landscape and sharpening instincts. Most people who work in businesses aren’t cyber or IT savvy and weren’t hired for those skills. However, everyone needs to have a basic understanding of how identity theft works in our modern digital world, both in their personal and professional lives.

They also need to have a grasp of the business risks introduced by digital processes, including emails.

By having this context they’ll be able to understand when things are out of context or unusual and have enough suspicion to ask a question or two before clicking the link, wiring the funds, or approving the MFA prompt.

And this isn’t a once-off tick on a form to achieve compliance with a regulation.

Often, the long, tedious, and mandatory presentations that organizations conduct once a year or quarterly, followed by multiple-choice quizzes, are perceived as time-wasters by the staff. They want to rush through them quickly and typically forget any insights gained.

Instead, the training program should be designed to be ongoing, consisting of bite-sized, interesting, immediately applicable, and fun training modules combined with simulated phishing attacks to test users. If any user clicks on a phishing email, they should be given additional training.

Over time, the system should automatically identify users who rarely fall for such attacks and interrupt them with infrequent training, while the persistent offenders are given additional training and simulations on a regular basis.

The other reason for ongoing training is that the risk landscape is continuously changing. Some months ago, malicious emails with QR (Quick Response) codes to scan were the exception, now they’re a very familiar sight, requiring ongoing awareness of staff not to scan them on their phones (outside of established business processes).

Security experts often lament the priorities of staff, saying, “if they only took a second to read the email properly, they’d spot the signs that it’s phishing”, or “they just don’t take security seriously”.

This is a fundamental misunderstanding of the priorities and psychology of the average office worker, clicking a link in an email will at most get you a slap on the wrist, not fulfilling an urgent request by the boss can get you in serious trouble or even fired.

And this is why the entire leadership, from middle managers all the way to the C-suite must lead by example. If they do and communicate their understanding of the basics and secure processes, staff will follow suit.

But if the CFO requests an exemption from MFA or bypasses security controls regularly because “it’s more efficient”, there’s no chance that his underlings will take cyber security seriously.

What does it look like at an organization that has embraced this approach? First of all, no one fears speaking up or asking “silly questions” about weird emails or strange phone calls. If there is an incident and someone clicks something they shouldn’t have, there’s no blaming and accusations, it’s not personal, there was a failure of a process.

This brings a strong sense of psychological safety, an important foundation for cyber resiliency.

Transparency is promoted from the leadership all the way throughout the organization. Understanding that we’re all human, we’re “all in this together” and being upfront about making mistakes, without fear of retribution, will improve the cyber resiliency culture.

Talking about new cyber risks and exploring not just business risks but also the risks in people’s personal lives is another strong result of a good security culture.

Our working and personal lives are blended like never before, with people sending and receiving emails from their personal devices, sometimes even working from their personal laptops (BYOD), which means that the risks to the business aren’t confined to corporate assets and networks. 

Compromises of users’ personal identities can be used by criminals to then pivot to compromise business identities and systems.

Looking at it in the mirror – in an organization where cyber resiliency isn’t valued, staff will be fearful of making mistakes and be unsure what processes to follow if they think they might have made one. Individuals are blamed when incidents do occur, ensuring that any future issues are swept under the rug to avoid the same fate.

And staff don’t understand IT, they don’t understand the risk landscape and they routinely put the organization at risk because of this lack of understanding.

As mentioned, it’s important that security awareness training is incorporated into the work life of your users, it can’t be something that’s done once every six or twelve months. Hornetsecurity’s Security Awareness Service was designed with exactly this in mind, providing short video trainings, coupled with spear phishing simulations.

But overworked IT teams also don’t want to spend a lot of time on scheduling training and simulations, so it incorporates the Employee Security Index (ESI) which measures each user’s (and group, department) likelihood to fall for targeted, simulated, attacks.

This is mostly hands-off for the administrators, so the users who need extra training and tests receive it, whereas staff with already sharp instincts are tested less frequently. You can also track ESI over time and see the forecast for it.

Employee Security Index dashboard

There’s also a gamification aspect where users can compare themselves to others, which creates a strong incentive to be more cautious and sharpen instincts. The training material is available in multiple languages.

Another benefit of the Security Awareness Service is the statistics, it gives the security teams and business leaders data to understand the current risk profile of their staff, and where boosts of extra training might need to be deployed.