In the run up to Black Friday and Cyber Monday, cyber experts at global security company Leonardo which has a site in Bristol are keen to help shoppers stay safe online and out and about, drawing on research that suggests that around a staggering 98% of all cyber-attacks are initiated by exploiting human habits and behaviour.
Bristol based Principle Cyber Consultant Ben Cowley said: “Black Friday and Cyber Monday turn a careful shopper into a hurried one, and a sense of urgency is the primary tool used by the cybercriminals. They don’t simply hack cyber security, they hack human behaviour.”
During sale periods such as Black Friday and Cyber Monday, cybercriminals can use those predictable human behaviours to their advantage.
Ben said: “When it comes to emails apply a ‘zero trust’ mindset. Never click links from unexpected emails or texts about deliveries even if they look familiar, always navigate directly to the retailer’s official website or app.”
A key trick used by cybercriminals is to add an air of familiarity to their approach, so that it aligns with your normal daily habits. So, they will copy the emails you might receive from a retailer you use frequently or try to get you to click on a link for a special sale offer that has the hallmarks of a legitimate deal.
Nicole Hooker, Lead Human Factors Specialist, Engineering Services at Leonardo said: “Human habits play a huge role in the exploitation of shoppers. Our brains rely on mental shortcuts – quick rules of thumb that help us make decisions without overthinking every click, especially during busy periods like Black Friday. On top of that, we have a familiarity bias: if a message or a website looks like something we’re seen before, we tend to assume it’s safe. Criminals design their scams to tap into both – the shortcut and the sense of familiarity, so we act quickly instead of stopping to check.”
The National Cyber Security Centre, of which Leonardo is an accredited cyber security consultancy provider, defines social engineering as a broad range of malicious activities accomplished through human interactions. Typically, social engineering uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
This covers everything from online cyber security risks such as phishing emails, to those in the real world, such as reading another person’s secure information in a public place by shoulder surfing, or even setting up a fake WiFi router to clone sensitive card information.
It can also cover more intricate and sophisticated ploys to gain the trust of the target. The cybercriminal will seek to gain the victim’s trust over a period of time and provide stimuli for subsequent actions that gain access to their sensitive data or access to critical resources.
In the run up to the festive season, people often consider career moves so social engineering can take on a whole new meaning. Cybercriminals will set up fake LinkedIn accounts as recruiters, to build trust and initiate correspondence right up to the job offer.
Whether it’s an unsolicited email sale offer, an online job offer, or someone standing too close to you in a shop trying to clone your card information, Ben’s advice is always the same.
Ben said: “A healthy level of scepticism is your best defence; it’s the digital equivalent of looking both ways before you cross the road. Trust but verify, take that extra second to think before you click.”
