Cyberattacks and cognitive biases: what are our behaviours?

Someone recently received a fake ‘court summons’ by email accusing him of child pornography and asking him to send in his ‘justifications’ within ’72 hours’ or risk arrest.

He was the target of a cyberattack based on social engineering where the attacker takes advantage of the vulnerabilities of the victim through social interaction to breach the security of cyberspace. Among these vulnerabilities are cognitive biases.

The attacker tries to get the target to develop certain behaviours that they expect from them to succeed in their objective: the victim, persuaded to think and act correctly, will in fact use a biased mode of thinking as the basis for their behavioural response.

The cognitive biases involved in a cyberattack differ depending on the strategy deployed by the attacker. What are the cognitive biases produced by a strategy of persuasion, a strategy that takes advantage of social demands and a strategy of urgency, which are often chosen to harm far too many companies?

Cognitive biases produced by a strategy of persuasion

The attacker approaches their target by making them believe that they are both similar and share the same tastes and ideas to evacuate any conflicts and facilitate cooperation. They may also make the target believe that they have a social status that gives them a certain authority.

This strategy can cause a similarity bias whereby the target gives credibility to the attacker because of their demographic, sociological, or ideological proximity, and a stereotyping bias whereby the target—without even knowing the attacker personally—attributes them certain characteristics associated with the group to which they claim to belong as a way to show closeness to the target.

An example could be a phishing attack to harm a humanitarian organisation: in the email sent to an employee of the organisation, the attacker presents themself as a member of another humanitarian organisation close to its values and sends an invitation to a charity event. The employee confidently opens the file containing the invitation and unknowingly loads malware.

This strategy can also lead to an authority bias whereby the target gives credibility to the attacker because of the social position or skills they claim to have. This bias can be associated with the expertise bias as a tendency to confer on an individual—because of their social status linked to intellectual or technical skills they hold—a particular knowledge that they do not have, and with the objectivity bias as a propensity to grant a certain credit to an individual because of the objectivity that they claim in a given situation.

Another example could be a new employee of a small startup that chattel accommodation between individuals who manages the customer service department alone, working from home and at weekends: the attacker sends them an email in which they introduce themself as one of the developers of the startup’s app. The text of the email asks the employee to call the sender at a specified number to give them the code for their account to access the back office of the startup’s website because the sender has forgotten theirs. The latter pretexts the necessity to perform an operation that is not in their supposed field of competence. The new employee calls them and gives them their code because they attributes to the sender an authority, an expertise, and an objectivity that they do not actually have.

Cognitive biases produced by a strategy that takes advantage of social demands

The individual’s willingness to conform to the group in which they find themself to be accepted by others and their propensity to respect a moral duty of charity in the face of a request for help are examples of social requirements that an attacker uses to take advantage of their target.

Associated with this strategy are the wishful thinking bias, which refers to the formation of decisions and beliefs based on the desires of the imagination rather than on reality, and the conformity bias, by which an individual conforms to the attitude of others, whatever it may be.

Imagine an attacker sending an email to several employees to thank their company for supposedly using their computer troubleshooting services. They explain that they have just started a business at the age of 22 (with a photo and a sweet and naive smile) after a difficult period of unemployment and that the employees can help them by giving them a favourable evaluation of their intervention on a website by clicking— »as 99% of my customers »—on the link specified. Although they do not know whether this intervention really took place (given the size of their company), some employees—touched by the sender’s story, which they want to believe (wishful thinking bias), and following a Reply to All sent by one of them or an accomplice wishing the sender « good luck »—respond favourably to the request (conformity bias) by clicking on the link, which results in triggering a virus.

We can associate other cognitive biases with this example. Indeed, the employees who clicked on the link may also be influenced by the sentence stating that « 99% of my customers » respond to the request: this is the framing bias whereby information is interpreted according to its positive or negative presentation. Furthermore, the candid face chosen for the photo may give them confidence: this is the halo effect , described as a tendency to be influenced positively or negatively in the overall judgement of a person or group solely on the basis of the first impression they give.

Cognitive biases produced by an emergency strategy

The aim is to induce anxiety in the target by conditioning the timing of their behavioural response so that it is driven only by fear and stress.

The attacker uses this method in a ransomware attack. By means of blackmail, the attacker exploits the action bias , which is a tendency to act necessarily when a problem arises rather than take the time to think before trying to solve it. Thus, even though companies know it is better not to pay, many give in to the attacker’s demand.

The attacker may also use this strategy by asking the target for urgent help. In this case, they seek to avoid the witness effect , described as a tendency not to rescue an individual when others are around: the attacker will show their target that only they can help him.

For example, the attacker sends an email only to the secretary of Mr B., the CEO of a company, saying: « I am with Mr B., his phone has run out of batteries. He asks me to send you the attached form, which must be filled in and forwarded to me AS SOON AS POSSIBLE, otherwise it will be a disaster! » Even though the secretary does not know the sender of the message, they panic—thinking that no one else can help—and open the file, thus downloading malicious software.

A solid shield to avoid being fooled by the cyber Machiavellianism of the attacker is the Stoic wisdom of Marcus Aurelius: « Begin the morning by saying to yourself, today I shall meet with the busy-body, the ungrateful, arrogant, deceitful, envious, unsocial. »