When it comes to finding a scapegoat after a company falls victim to a spearphishing scam, pointing toward the human being in the room typically isn’t unjustified or unfair.
Unfortunately for the human race, this kneejerk response to the longtime and frequent security question – who’s to blame? – has been mostly correct because as a species we’re challenged when it comes to deciphering good from evil emails. Couple the basic human desire to be helpful, along with the increasingly powerful skills wielded by cybercriminals in their attempt to hack into an organization, and the outcome is predictable.
Socially engineered messages appeal to a very base human behavior and that is why it is such an effective strategy, says Patricia Wallace, a psychologist and former senior director of online programs and IT, Center for Talented Youth, at Johns Hopkins University.
“Social engineering causes people to drop their cognitive defenses by containing strong urgency messages,” she says, explaining that is why these messages often ask for help or touch on a topic that is quite personal to the recipient.
Whether it is an unsuspecting office worker at Stanford University’s payroll provider or someone at Snapchat, too many people just cannot help clicking on an email link, particularly one that has been carefully crafted using every social engineering tool in the box.