When you think about your intellectual abilities, do you consider yourself like Star Trek's Spock or like The Simpsons' Homer Simpson? I would imagine most of us would choose or strive to be more like Spock: slow, calculated, precise and logical. But, according to cybersecurity expert Dr. Jessica Barker, any one of us can move into a Homer Simpson-like state given the right type of social engineering. It is in this state that we are then susceptible to scams like phishing, spearphishing, vishing and business email compromise.
“Most of us think that will never happen to me. I am rational, I am logical. I think about things before I do them,” she said. “This is a comforting thought, but it’s not true. We all have two sides to our brain, thinking fast or thinking slow. Social engineers know if they can get you into the fast part of your brain, into the Homer Simpson part, you are far more likely to fall for a social engineering attack.”
Barker addressed hundreds of anti-fraud professionals at the 2018 ACFE Fraud Conference Europe last week and spoke about the three “hot states” that fraudsters tap into when attempting their scams in the hopes of clouding your better judgment:
- Authority: When an email looks like it comes from your boss or someone with a lot of authority or gravitas, you don’t want to challenge them.
- Curiosity: When social engineers mention salaries and bonuses, or when you receive an email from a friend with pictures of wild party a few weeks ago, you may act on your curiosity.
- Temptation: When we are made to feel sexually interested in something, we don’t think about a dangerous situation we could be getting ourselves into.
Barker also pointed out that a new weak point in organizations’ cybersecurity might stem from an unlikely source — General Data Protection Regulation (GDPR) compliance. “One of the speculations about what we will see with GDPR is more extortion around hacks,” she said. She explained that if hackers breach an organization and access information they shouldn’t be able to under GDPR, they might see that as a new opportunity for extortion. “I think what we’re going to see is more criminal hackers approaching the organization saying, ‘I’ve hacked you. You could go public, you could disclose this [and subsequently] face the reputational damage and the fine, or you could pay me for this lesser amount.’”
Barker is one of the top 20 women of influence in cybersecurity in the U.K. She was joined at the conference in Frankfurt by other keynote speakers including 2017 Pulitzer Prize Winner Bastian Obermayer who worked on investigating the Panama Papers, transnational crime consultant and former director of the Centre for Fraud and Financial Crime at Teesside University Rob McCusker, vice president and head of investigations and anti-corruption at SAP Dr. Phillip Klarmann and others.