Technology moves fast. And so do hackers. But, you know what doesn’t move fast? Human habits. Our brains are wired to fall for the same scams we’ve been falling for since the dawn of time. Even now, people and companies get hacked in the same ways - over, and over, and over. But it doesn’t have to be that way!
The principles of persuasion
The principles of persuasion were extensively researched and popularized by psychologist Robert Cialdini in his book “Influence: The Psychology of Persuasion.” These principles provide insights in to how individuals can be influenced and persuaded to take specific actions. Hackers often apply these principles when we’re hacking organizations through their people.
Here are the seven principles of persuasion:
Manipulating urgency: exploiting time pressure for compliance
We’re all busy. At any given time we have 312 browser tabs open, we’re communicating on three different apps on our phones, we’re in video meetings while we answer email, and our calendars barely leave us time to eat a quick, sad salad at our desks.
Hackers know this.
Social engineers adeptly exploit the psychological concept of urgency to deceive individuals. They push their targets into hasty decision-making, bypassing critical thinking and rational judgment, compelling us to fall for scams.
How to protect your organization... and yourself
Importance of unique passwords and password managers
One of the common tactics employed by hackers is to create fake websites that closely resemble legitimate ones, aiming to trick users into entering their login credentials or other sensitive information. Password managers can recognize phishing sites by automatically matching the login information to the correct website. If a password manager does not recognize the site or fails to autofill the login information, it raises a red flag. This additional layer of verification acts as a safeguard against inadvertently falling for phishing attempts. By relying on password managers, you and your team can have increased confidence in the legitimacy of the websites you visit, making it more difficult for hackers to deceive you with fraudulent login pages or phishing scams.
Passwords aren’t the be-all and end-all when it comes to security. Your teams must use strong and unique passwords stored in a password manager AND multi-factor authentication (MFA).
MFA is a security measure that requires you and the members of your team to provide multiple forms of verification to access a system or account, adding an extra layer of protection beyond traditional username and password combinations. MFA typically combines two or more of the following:
Something the user knows (such as a password)
Something the user has (such as a unique code or token)
Something the user is (such as a finger print or facial recognition)
Many people in your organization will recognize and be familiar with MFA since so many consumer apps and websites now offer it, but they might not understand its importance or find the extra step too complicated or a waste of time. Understanding The Why behind MFA is the key to getting buy-in from your team.
The importance of MFA lies in its ability to significantly enhance security by mitigating the risks associated with stolen or weak passwords. Even if an attacker manages to obtain someone’s password, they would still need access to the additional authentication factor to gain entry. This significantly reduces the likelihood of unauthorized access and compromises.
MFA helps protect against various security threats, such as phishing attacks and credential stuffing(when hackers find your password in a breach and try to log into your accounts with it). By requiring an additional layer of verification, MFA adds an extra barrier that makes it more challenging for hackers to impersonate legitimate users. It also provides an early warning system, since any unauthorized attempts to access an account will trigger alerts or require additional verification.
Implementing MFA is crucial, especially for sensitive accounts or systems containing confidential information. It helps prevent unauthorized access, data breaches, brand trust loss, and identity theft. By embracing MFA and by convincing everyone else in your organization to use it, you can significantly bolster security and ensure the protection of valuable company assets.
We know from Verizon’s 2023 Data Breach Investigations Report (DBIR) that the majority of breaches are caused by password reuse. Someone may use the same password for their movie streaming site and their email. When the movie streaming site gets hacked, I can plug the exposed email and password from that site into the user’s bank and reset all of their other passwords because I have access to their email address.
Most of the time when I’m hacking someone, it doesn’t even require that much effort. My first attack method is to determine if I can find the target’s password in a breach. Oftentimes, I’m not even targeting a person or organization specifically. Sometimes you and your organization just get caught up in this CSV file with thousands of lines and you happen to be in it because you’re a part of the breach – and now your other accounts that reuse that password are compromised in the process.
Let’s talk threat modeling
Threat modeling is how you determine your level of risk and how likely it is that you’ll experience a hacking attempt. This is how you identify and evaluate the likelihood of receiving potential threat sand vulnerabilities in your enterprise. Your individual threat model, for example, is based on many factors such as:
Imagine me in hacker-mode browsing through social media when I come across a selfie of an executive sitting at his desk working with his dog in his lap. Adorable, yes. But I’m not looking at their goldendoodle. I’m more interested in their laptop in the background. As an exec, they probably know enough not to have their email or any sensitive documents open on their laptop. They’ve minimized all the windows before they snapped the photo and all I see is the beautiful mountain scape desktop scene that they’ve never bothered to change. Now I know what operating system they use and I can instantly tailor malware to work on their machine.
Like I mentioned, folks in the public eye have a high-threat model. This includes anyone in the C-suite of a large corporation. This also includes anyone in your organization with a large following or a person who has access to something that people want, whether that’s money, personal information, or details about a merger and acquisition.
One trick I use in hacking VIPs is called spoofing, which means, I use software to make it look like I’m a VIP on your caller ID but in reality, it’s just me on my phone. I’m not actually a board member you need to speak to quickly. I might then invent some scenario to convince you to email me the latest M&A deck to a new email address.
People like your VIPs and executive team have a high-threat model and are more likely than most individuals to receive a targeted phishing attack or to be spoofed over the phone, email, text message or social media. Some execs with high-threat models will experience attempted hacks at least once a quarter, if not once a week. Some people with extremely high-threat models see attempted hacks every single day.
Protecting your VIPs
Protecting individuals in your organization who have high-threat models requires a comprehensive approach that addresses social engineering prevention, physical, and digital security. Here are three key strategies to consider:
Emulating your brand voice
While hacking methods may change, the goals of cyber criminals stay the same. Even if a hacker is using AI methods to impersonate or trick, they are likely still going after the same goals: money, access, data, and influence. Because the goals stay the same during these hacking attempts, many defense recommendations stay the same, too:
Use strong and unique passwords stored in a password manager to prevent password-based attacks or compromising more accounts after a data breach.
Use the right MFA for your threat model.
Use multi-factor communication: Be politely paranoid and use 2 methods of communication to confirm someone is who they say they are before fulfilling their request (you can catch me impersonating an executive’s voice during a social engineering call attempt this way almost every time!).
Recent data on passwords and password managers
Passkeys and the passwordless revolution
Looking into the future can be scary, but it doesn’t have to be. For me, envisioning the security landscape ten years from now sparks an exhilarating mix of optimism and caution. As technology evolves, I foresee a significant decrease in our reliance on traditional passwords. Password-based security measures, prone to human error and vulnerability, will slowly fade into obsolescence. Instead, passkeys will take center stage, transforming the way we authenticate.
However, as we embrace the promise of passkeys, we need to realize this transformation will take time. Security changes slowly – my prediction is that passwords will be around for years to come and we’ll gradually transition to passkeys over the next decade.
Bitwarden does both – they’ve got the password manager for now, and the passkey integrations to support the future of authentication. Now, over to Bitwarden to close us out!