Social engineering works on all of us, regardless of how tech-savvy we are. Why is that? Dr. Erik Huffman, a founding researcher in the emerging field of cyberpsychology, the study of how the human brain works while in a cyber environment, has answers.
Talking with Michael “Roo” Fey, Head of User Lifecycle & Growth at 1Password on the Random But Memorable podcast, Dr. Huffman revealed social engineering success involves some key factors like the different ways people can influence us, generational mindsets about privacy, and certain personality traits that make people more susceptible to psychological tactics.
What can IT and cybersecurity professionals do to more effectively address the human side of security? Read the interview highlights below or listen to the full podcast episode to learn about the most impactful strategies, including applying a little cyberpsychology to your day-to-day life.
Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Michael Fey: “Cyberpsychologist” seems pretty niche. Did you invent the term, and how did you end up in that line of work?
Dr Erik Huffman: No, I don’t think I invented the term. It’s new but it’s actually not new.
If you think back to the old AOL dial-up days, when your mom would pick up the phone and kick you off the internet, the big virus then was the ILOVEYOU virus. It was called that because you got an email and the title of the email was “I Love You”. We all said “aww, who loves me?” We clicked on those links and fell victim to social engineering, which is a type of psychological attack.
But how did I get to doing what I do today? I was an IT manager for a large organization, and I received my bachelor’s degree in computer science. I started as a network technician, driving store to store, fixing things. Then I received my master’s degree in IT management.
“I initially thought, just like most people fresh out of college, that only dumb people get hacked."
I initially thought, just like most people fresh out of college, that only dumb people get hacked. Only bad organizations get hacked. And then I found out I sucked at my job because we got hacked. I started thinking, am I stupid? Then I was like, OK, anyone can get hacked once. But then we got hacked again like three months later.
My researcher brain kicked in. I started thinking, OK, not just bad organizations get hacked, not just “stupid” users get hacked. I started thinking about what’s changed, what hasn’t changed? There’s the cliche that technology is evolving at an exponential rate – duh, we all know that.
When I started unpacking what had changed, I realized computers had changed, processors had changed, networks had changed, IDS systems changed, IPS systems changed. The only thing that has stayed the same is us.
When you think about the rate of data breaches and the rate of innovation, they mirror each other. The number of records lost has gone up, the rate of innovation has gone up, the rate of technology has gone up. One would think, if you’re just looking at the numbers, that innovation is not helping, it’s actually hurting.
“Let’s look at the people and see how we’re contributing to our own problems and data breaches."
But we know that’s not true. It’s not true to say, hey, your spam filter, or your IPS system, or your password manager is a problem. So instead, let’s look at the people and see how we’re contributing to our own problems and data breaches.
That unpacked an entire world for me. I’m blessed and thankful for it. But yeah, my path started when I sucked at my job, being honest.
MF: Once you took a step back and thought about the human element, what hooked you in? What made you think yes, this is what I want to focus on?
EH: The hook was when I found that it exists! That there are legitimate studies that can help us figure out how we could get a little bit better, person by person. For my first study, I went to Black Hat and started asking hackers: how do you start attacking organizations?
“98% of [hackers] said, we start with people instead of technology."
98% of them said, we start with people instead of technology. So I started weighing out what we do as IT and cybersecurity professionals versus what the hackers are doing, and it’s not even close to matching up.
A lot of our initial thoughts were, “I need to patch this system.” There’s even a term: human patching. We need to try to patch the people. Once I started looking at that, I’m like, we’re actually going about this the wrong way for the everyday attack.
I’m not talking about the crazy nation-state attacks where they’re sitting in their mom’s basement, Cheetos dust everywhere, and sipping Mountain Dew. Those people exist. One hundred percent. Those are dangerous threats as well. We shouldn’t say we should stop technological development.
But even this year, the Verizon data breach report says over 86% of attacks have a human element involved. Humans are still contributing to data breaches in a massive way that technology isn’t ready to patch yet.
MF: There is a generation that knew a time before and after the internet. How do you see the differences between those two generations and mindsets?
EH: My research shows that the older generation is actually less susceptible to social engineering than the younger generations. They respect their privacy, they respect their social security number and all that stuff. They don’t want to put it on the Google machine.
“The older generation is actually less susceptible to social engineering than the younger generations."
There’s certainly a lot of social engineering going on with all of us. But what I found is that when we start talking about targeted attacks to reveal financial information, sometimes you’ve got to do a little bit more work for the older generation, because that social security number and bank account number are huge to unpack.
On the other hand, it’s not weird for me if someone asks: “Hey, fill out this form and put in your bank account number and your routing information.” That’s what I’ve grown up with. But those before the internet, man, that social security number, that bank account information, they’re going to want to go into the bank to talk to somebody to have that transaction happen. Us younger folks, the less we can talk to people, the better.
“I don’t believe in there being a more secure generation. It’s just different avenues of attack."
There’s a paradigm there. Not to say that the older generation is way more secure. I don’t believe in there being a more secure generation. It’s just different avenues of attack, different psychological barriers to break through for different folks. You’re going to have to probably work a little bit harder to get there.
MF: I see that in my own mom. I’m amazed at how many times she has shut down scammers. She has a hardwired point of view that she wont' share information. If she wants something, she’ll come to you as a customer."
EH: Yes, that’s one of the biggest differences. With that study it was fascinating to me that while we think that the technology natives are used to this stuff, they also are so comfortable that it gives attackers a psychological advantage. Our psychological defenses begin to go down when we’re talking to unfamiliar people online because we’re usually still at home, we’re in this comfort area of being in our chairs, in pajamas, laying on the couch, whatever.
“Our psychological defenses begin to go down when we’re talking to unfamiliar people online because we’re usually still at home."
Also, when you’re online, the person is more prone to listen. And especially if you’re writing through text, the default voice you read in is your own. You’re reading in a comfortable zone, in a comfortable voice, and you’re supposed to make the right decision.
It’s tough for us technology natives to think about the internet as a scary place when most times it’s not, because you’re on social media talking to some friends or you’re looking up something online, you’re watching YouTube and you’re just chilling. An attacker comes along when you’re just chilling and you’re like: “Hey, what does this person want? Oh, Fantasy Football, OK, yeah, I’ll sign up for that. I’m going to use the same password that I always use, because that’s what I do.” And then, boom, next thing you know: data breach.
MF: Is comfort the main thing that attackers are taking advantage of? Or are there other tactics that are being employed?
EH: There’s a ton. Comfort definitely helps. The most impactful principle of influence, in my opinion, is the “liking” principle of influence. That is, the more you like someone, the more likely they are to influence your behavior.
For example, because you like your friends, you act differently around them than you do around people you don’t know. Now, especially with AI, a social engineer can make themselves look like however they want to look, like a handsome man or a beautiful woman. You see that and you begin to like that person, and they influence your behavior although you’ve never really seen or heard that person. That’s dangerous, because people fall victim to scams because their “friends” said to do something.
Just a name can make you feel something and act. You see the name you like and you’re like: “Hey, what’s going on, man?” And they can say an inside joke and you laugh and you smile at it.
Take that to the workplace. If the CEO sends you an email and you’re fearful of your job because there’s layoffs everywhere, and the CEO’s like: “Hey, I need you to transfer $500,000 to this company. Do this right now. We need this deal ASAP.” Some people fall victim to that. Some people do think twice, but you have to have a certain relationship with a person to say: “Hey, do you really need that?”
Another principle of influence is reciprocity. You do something for me and I feel obligated to do something back. For example, when you go to a car dealership and they offer you water, coffee, popcorn, and cookies, you are more likely to buy a car because they gave you something for free.
“Scammers will give you something or they’ll help you out in some regard. You’re then more likely to help them."
Scammers will give you something or they’ll help you out in some regard. You’re then more likely to help them because they helped you. They gave you a little bit, so you’re going to just open the door for them.
Scarcity is another one. That’s why when you go to Amazon or eBay they say, “Hey, there’s one left.” And it’s always in red letters! Or with cars – they only make a hundred cars and so they’re worth 10 times more. You may not even like the car, but you’re going to want it because it’s scarce.
Authority influences behavior as well, like “do this or else”. We see a lot of that in government organizations. If you’re general so-and-so, your leadership style is authoritarian, and people are scared of you, they’re going to listen to what you have to say. But they’re also going to be highly susceptible to social engineering attempts, because they’re going to be scared when they see your name. They’re going to be like, “Oh my God, I’ve got to do this right now.”
MF: With the principles of influence, have you found that there are personality traits that make people more susceptible to being victims of attacks?
EH: Yes, there are six personality traits that I’ve found for cyber victims. Whenever I start delivering talks like this, I start talking about personality traits. People are like: “But that’s not me.” They feel attacked. So let me preface this by saying, none of these personality traits are bad.
The number one personality trait is extraversion. The more extroverted you are, the more likely you are to be a victim of social engineering. If you’re willing to talk to people you’ve never met face to face, you’re more willing to talk to an attacker.
MF: I’m just going to take some notes here, Erik, so I can check off things that you’re saying about me as you go through this list!
EH: It’s all good! So, the more agreeable you are, the more likely you are to fall victim to someone telling you something that is not accurate.
How impulsive you are is massive. If you’re the type to impulse buy, you might be the type to impulse click. We see that in new variants of ransomware, where they’re trying to get that level of anxiety and impulsiveness up by saying stuff like “you owe us one Bitcoin, which is like eleventy billion dollars, and in 72 hours it’s going to double and then in 100 hours it’s going to double on top of that.” Then, when you’ve got three hours left, the CEO is like: “Screw it, pay. Pay, we need our stuff back.”
“If you’re the type to impulse buy, you might be the type to impulse click."
Also, openness to new experiences. If you like to try new things out or do new things, you’re more likely to fall victim to a social engineering attempt.
The harshest one for people to swallow is emotional stability. The more emotionally stable you are, the more likely you are to fall victim to a social engineering attempt. Of course, emotional stability is a very good thing.
But if you’re at a point of emotional instability, it’s actually going to be hard for a social engineer to get you to work with them. You’re going to be so all over the place – sad, upset – you’re going to respond sometimes and you’re not going to respond sometimes. It’s hard to get a person who’s emotionally unstable to operate in a straight line.
MF: Is there hope? Where do we go from here? How do we help people?
EH: There is 100% hope. What it starts with is introspection. You have to understand yourself and understand how you could be victimized. This level of arrogance that we have on the security professional side isn’t good. You can’t say it only happens to people who are stupid users or people who don’t understand the technology. That’s actually false. If social engineering is impactful for 80% or 90% of all data breaches, cyber professionals, we are a big portion of that as well!
When we conduct social engineering or phishing campaigns in the workplace, often we say, “Hey, you clicked, you go on the wall of shame, take our remedial training,” which is like ‘click next’ eight times and get your gold star!
Instead, ask that person why they clicked. You’ll hear things that will absolutely blow your mind. If you spoof the CEO, you might hear: “I’m scared for my job.” If you unpack that, then you need to talk to the person in charge and say: “You need to calm everyone down and tell them there won’t be any layoffs.” Because at this point, we’ve got this human vulnerability that technology can’t patch.
Every phishing campaign that I do for an organization, we always meet with the person who clicks, because I want to understand why and how we can address that.
“Help them understand how they could be victimized and then practice how you fight."
What level of care do you need to take? When we hire people, we run background checks. Why do we run background checks? We want to make sure their credit’s good, make sure they’re not a criminal, see if they’re honest. But that’s just a screenshot at that moment in time. Ten years later, when that person is still in that organization, they’re a totally different person. You need to understand who they are if you want to be able to secure the organization. Instead of just saying “hey, look at the email header,” or “this is the type of attack going out,” help them understand how they could be victimized and then practice how you fight.
MF: I like that framing and emphasizing introspection so people can understand how they could be susceptible, no matter what the attack is. Because the types of attacks are going to continue to evolve and change.
EH: And then, see what it takes to secure that endpoint, because your endpoint is not just your computer. The endpoint is the person. What’s it going to take to help that person out? If you don’t do this, what’s going to happen is the attacker is going to make them assist them in their data breach.
“The endpoint is the person."
It’s like the equivalent of unlocking the door for someone, having them rob you, and then being mad that you just got robbed. Like, dude, you opened the door.
We can’t be OK with that. You’ve got to talk to that person, see what psychological vulnerabilities are there, and then start training them to that. Not everyone is susceptible to the same things. What’s going to get me is not what’s going to get you. We’re different people, but we all can get had at some point in time.
MF: Can you talk about this concept of human factor authentication? What is it and what does it mean?
EH: Human factor authentication is a term that I coined that I absolutely love. It’s the checks that we have in our mind to determine, is this person safe? Is this real or not?
What you do when you’re first online are checks for human factor authentication. You look, you see the name. Do you trust the name? If you trust the name, then you begin to feel, and then from there, you begin to read. Initially, we all read in our own voice, unless you really know the person. If I see something from my mom, my brother, my wife, I read, and I begin to read in their tone. If the tone sounds off or there are a ton of grammatical errors, then you’ve lost me.
If I got something that seemed off from you, I’m probably going to reach out to you and say: “Hey, man, we’re supposed to have that podcast. I got this email. Is this you?”
MF: I have to imagine that AI and deep fakes, voice replication and stuff like that can create some really unique challenges.
EH: Deep fakes and the emergence of commercialized, general AI is probably what scares me most because it leverages the comfort factor and also the anonymity. Now hackers can be anonymous, but they can also appear and sound however they want. This scares me because it’s one thing for you to read the name, it’s another thing for you to read the name and see the face. There’s a point in time where your guard’s going to go down.
This ends up taking that to another level where I could appear as your mother or I could appear as your brother, your cousin, someone that you know at work. I can sound like that person, and you can see, hear it, and you can have a conversation. That breaks down a lot of those psychological barriers that we have, and it makes it very real.
There was this situation in Europe where the CFO had a deepfake conversation with another organization’s CFO and transferred them a quarter of a million dollars. Totally fake! That’s going to cause a significant problem, because the speed of business has not slowed down to incorporate security.
The speed of business continues to move forward, so this industry of AI, the goal is to appear so human-like you can’t tell the difference. Attackers take that and flip it on its head and start exploiting us. It’s like ransomware. We created encryption on the good guy side to protect data. Attackers use it and tell you that: “Hey, we’re going to lock your own stuff out. You’re going to have to buy your stuff back.”
MF: With people being the most vulnerable part of the networks, can people also be the superpower here? Is this something where we can turn our biggest vulnerability into our greatest strength?
EH: I think that people actually have been our greatest strength. Everything you look at and say, “that’s fake” – we’re blocking a lot more attacks than we realize. I firmly believe if we start securing the human and we begin to see some progress – if 90% of attacks include the human element, and if we can cut that down to 70% – we’ve changed the game. The economics of cybercrime will begin to tank. I firmly believe if we impact the economics of cybercrime, fewer people will do it and we’ll secure the world. There’s just so much money in it now.
MF: Where can folks go to learn more about you and the work you’re doing?
EH: I have two TED Talks that are out on YouTube. Or you can go to drerikhuffman.com to find some of my latest research and all of my talks. If you’re curious, feel free to shoot me a message and we can talk about how we’re going to save the world together.
Tweet about this post