Scammers employ strong emotions like embarrassment and fear as levers to compel their victims to engage in self-destructive behaviour. Security professionals can’t shy away from controversial topics. To protect our users, we must teach them how to recognize and properly report a scam that relies on mortifying topics or language.
Embarrassment and fear are powerful emotions; that’s why scammers use them. Just the right measure of embarrassment and fear can turn an ordinary phishing attack or social engineering campaign into a dangerously effective weapon. Why? Because strong feelings of embarrassment and fear can compel a target to abandon their cyber defence training and engage in self-destructive behaviour. Emotional attacks work.
As a telling example of this technique, the U.S. Navy’s Criminal Investigative Service (NCIS) announced on 28th November that they arrested a ring of clever (and insidious) fraudsters in the amusingly titled Operation SURPRISE PARTY. This multi-departmental effort  traced a clever extortion scheme to a group of inmates operating from inside the prison system. From the article:
‘South Carolina inmates, aided by outside civilian associates, identified and targeted military service members through social media forums and online dating websites. The prisoners, using fictitious online personas, preyed on service members to engage in online romantic relationships and then extort the service members for money.’
All told, 442 American service members were victimized. In each case, the scammers pretended to be potential romantic partners on social media sites and online dating apps. After the victim responded to the fake persona, the scammer would introduce a second fake persona – usually as the romantic partner’s father, sometimes as a law enforcement officer – and claim that the ‘girl’ was a juvenile. The ‘adult figure’ persona would threaten the service member’s career if they didn’t pay off the ‘family’ to keep quiet. All told, the criminals got away with more than $560,000 before the military coppers shut them down.
I used to work with these folks. Real world arrests are a lot more calm and quiet than the ‘rappelling commando’ scenes that we see in action movies.
Setting aside the fact that these scammers accomplished their ruse from inside the correctional system with only contraband smart phones and a library of images, what makes this case relevant to us in Security Awareness is how brutally effective the scammers were at convincing their victims to pay up. The scammers used a potent cocktail of embarrassment and fear to push their victims beyond the capacity for rational thought and straight into a reactive, compliant state of mind.
Why does this interest us? Our users are just as vulnerable to an attack targeting those same emotions and motivators. The attack might not involve dating sites or fake romantic partners, but the fundamental building blocks of the scam are the same: embarrassment and fear. To protect our users, we must talk about real-world scammer tactics when teaching our users phishing defence tactics. That means holding frank – and sometimes uncomfortable – discussions about topics that don’t normally come up in a corporate training room.
Last March, two colleagues were hit on their corporate email accounts with parallel phishing attacks fifteen minutes apart. In each message, the scammer claimed to have captured embarrassing webcam footage of the victim and demanded a bribe in Bitcoin. The scammers threatened to release the compromising video footage to every contact on the victim’s PC if they didn’t pay.
This phishing attack targeted victims’ work emails because the proposed ‘embarrassing video’ increased the psychological pressure on the victim to pay the attacker just in case the threat was real. The amount demanded was below a common psychological barrier that made it just expensive enough to be lucrative for the attacker, but below the level where a victim might balk at paying … or involve the police or corporate security.
Fortunately, those targeted users recognized the phish as a bluff and reported it immediately (just as they’d been trained). Rather than feel smug that our phishing defence course worked as-intended, we alerted the entire company to the new threat and then added the attack messages to our home-grown Phishing Defence Skills course. We’ve been teaching this example ever since, with special emphasis on how the scammer uses embarrassment and fear to ‘push’ a victim into reacting rather than reporting.
People are hardwired to react swiftly and predictably to the sudden appearance of unexpected threats. Cybercriminals cynically take advantage of this to seize the initiative and drive the encounter to a resolution of their choice.
Some colleagues are shocked by these examples; the language employed by the scammers is definitely not fit for regular publication. The situations evoked or described are often topics that would get a worker fired (or severely reprimanded) in nearly any corporate job. That, however, is the point: by using shocking and offensive situations and language, the scammer is attempting to trigger a heightened emotional state.
In training, we take great care to clinically de-construct the attack and discuss why it’s effective. We acknowledge there are prurient elements in the attack so that users can learn how and why the attacker’s choices are crafted to stimulate a specific response. Optimally, our users leave the class understanding the ‘call-to-action’ mechanism that phishing attacks require to compromise a victim. We also show how a specific attack is engineered to discourage a victim from engaging either the police or us.
Yes, this can be an uncomfortable discussion. There’s a risk of embarrassment just in talking about real-world attack examples. It’s necessary, though, if we want to equip our users with the skills and judgment they’ll need to protect both themselves and the organisation. We need users to understand they can always come to us with their concerns. Our role is to protect our people; not to judge or belittle them.
Further, we emphasize that speed is crucial when it comes to a phishing attack response. The sooner that Security knows how to recognise the new attack, the sooner that we can inoculate the rest of the user population against it. We can only do that if our people bring the new threat to our attention.
 Including the Defense Criminal Investigative Service (DCIS), U.S. Army Criminal Investigation Command (CID) and U.S. Air Force Office of Special Investigations (AFOSI).