What causes users to click on malicious links?
Arun Vishwanath, professor of communication at the University of Buffalo, has published an interesting article in The Conversation to explain human frailty when it comes to cybersecurity. The article mainly exemplifies cases of spearphishing fraud, which is nothing more than a highly personalized and efficient phishing to hook users, especially in corporate environments.
This type of attack is particularly dangerous because, once the user clicks on the received link or advertisement, a malware is installed on the machine and understood by the system as a reliable internal agent, and no antivirus will act against it. Thus, humans are the target of spear-phishing because, in this case, they are the only data protection barrier.
Professor Vishwanath also exposes in the article the research he developed with other collaborators regarding human behavior in the face of cyber fraud. The study is called S.C.A.M., abbreviation for Suspicion, Cognition, Automacity Model, an interesting title for the theme, due to the original meaning of this word.
In short, the study aimed to understand what leads users to click on malicious links. Among the findings obtained, the most general and relevant can be summarized in:
1) FIRST OF ALL, THE USERS WE REFER TO ARE HUMAN, NOT ARTIFICIALLY PROGRAMMED BOTS.
Human beings naturally rely on cognitive efficiency, that is, we seek and prefer to use mental shortcuts to perform an action. In a spearphishing situation, when seeing a known promotion of a shop constantly frequented or the logo of the bank in which one has an account, hardly a person would think twice before clicking, because the immediate action is a mental shortcut.
Therefore, often the impetus of cognitive efficiency ends up preventing us from investigating the information in the link or promotion before clicking on them.
2) NEWS ABOUT MALWARE MAINLY INFECTING COMPUTERS.
The frequent spread of malware news infecting thousands of computers and driving businesses into bankruptcy makes people mistakenly believe that mobile operating systems are safer or immune to cyber attacks. With this in mind, users feel safer and more confident to click on any link or open any email on their smartphones. Often even downloading unofficial applications and leaving the "developer" function of the phone activated.
3) BELIEF THAT ONLINE ACTIONS ARE 100% SAFE.
The false image, often propagated by the media, that banking transactions are safer online, virtual purchases are faster and easier, etc., makes people lower their guard, making little effort to review/send messages, links received, or even websites where they can make such transactions.
4) THE CONSTANT USE OF SOCIAL MEDIA, MESSAGES AND EMAILS.
The greater the use of virtual and online resources, the greater the user's confidence in their way of acting virtually. This trust is not always beneficial, because it makes people less aware of some constant dangers.
Possible Solutions
Given the problems, the great solution presented by Vishwanath is to train and prepare users not to fall into spearphishing or any other type of cyber fraud. The teacher's study points out that some basic ways to prepare a suitable training for a given business environment would be:
-
Detect which are the main causes that lead the user of such an environment to fall into the fraud;
-
Detect who are the "super detectors", that is, the users who hardly fall into fraud, and identify their ways of thinking and acting in the online environment.
By detecting ways to prevent fraud that people in the same environment already practice, it is easier to teach others how to acquire the same cybersecurity habits and practices.
A cybersecurity training can be seen as a type of Human Programming or Neurolinguistic Programming. This human training technique, developed in the 1970s, consists of teaching tools to replace behaviors that are not adapted to the path of achieving its objectives. These tools, on the other hand, are designed taking into account how human beings process information and experience and how they use their senses, instincts and intuition to process these world data.
Hacker Rangers, online software developed by Perallis Security, is one of those Human Programming tools that can help users become aware and learn in practice how to prevent virtual fraud. Hacker Rangers still has the differential of being in a game mode! A practical and fun way to learn about cybersecurity.
Thus, as Professor Vishwanath and I concluded from the perspective of Neurolinguistic Programming, humans are the weakest link in cybersecurity, but with proper training they don’t have to be.
Hacker Rangers - Plataforma Gamificada para conscientização em cibersegurança