Social-Engineer Newsletter Vol 07 – Issue 99


Vol 07 Issue 99
December 2017

In This Issue

  • The Emotional Line of Defense
  • Social-Engineer News
  • Upcoming classes

As a member of the newsletter you have the option to OPT-IN for special offers. You can click here to do that.

The 2017 SECTF report is now available for download. You can get all the details from Def Con 25 and Derbycon 7 by downloading your free copy of the report here:

You can also listen to Michele and Chris breakdown all of the details from the 2017 SECTF report webinar. It is available to listen and download here:

Do you like FREE Stuff?

How about the first chapter of ALL OF Chris Hadnagy’s Best Selling Books

If you do, you can register to get the first chapter completely free just go over to to download now!

To contribute your ideas or writing send an email to

If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.

Our good friends at CSI Tech just put their RAM ANALYSIS COURSE ONLINE – FINALLY.

The course is designed for Hi-Tech Crime Units and other digital investigators who want to leverage RAM to acquire evidence or intelligence which may be difficult or even impossible to acquire from disk. The course does not focus on the complex structures and technology behind how RAM works but rather how an investigator can extract what they need for an investigation quickly and simply.

Interested in this course? Enter the code SEORG and get an amazing 15% off!

The team at Social-Engineer, LLC proudly uses:

A Special Thanks to:

The EFF for supporting freedom of speech

Keep Up With Us

Friend on Facebook Facebook
Follow on Twitter Twitter

The Emotional Line of Defense

It is not breaking news that phishing is the leading cause of data breaches in the modern world. It is safe to ask why that is the case though, given how much of this email gets caught up in our spam filters and perimeter defenses. One trick sophisticated attackers use is triggering emotional responses from targets using simple and seemingly innocuous messaging to generate any response at all. Some messaging does not initially employ attachments or links, but instead tries to elicit an actual reply from the target. Once the attackers establish a communication channel and a certain level of trust, either a payload of the attacker’s choosing can then be sent or the message itself can entice the target to act.

It’s not a technology problem, it’s human nature.

Human emotions are the critical security element technology cannot solve. Emotion often overrides critical thought, which is what the attackers are banking on. Whether it be fear, curiosity or a sense of urgency, your users are tasked with balancing emotional response with security policy daily. It’s not just when reading email either, but also when taking phone calls or dealing with other humans face-to-face. It can be a daunting task which puts many companies and organizations at risk. As security awareness professionals, you must take this into consideration in the messaging you are providing to end users.

Feeling that rush, there’s your sign.

When a user starts to feel an overwhelming emotional response to a situation, this should be a clue that critical thinking must engage to properly verify the validity of the situation. Use the emotions as a warning sign rather than the instinctual emote-then-respond that humans naturally resort to. This is not an easy fix, but incorporating this recognition technique could be the difference between a compromised account, and a simple 5 second moment to request a review from the security/IT department.

According to some researchers, a sense of urgency and curiosity tops their list for most clicked phishing emails, whether it be delivery notices, compensation changes, or imminent account access issues. If the user is caught at just the right time of day, or in a particular mood, even to the most security-aware individuals can succumb to these attacks. This is why it is so important to instill the recognition of a user’s emotions into security training. You can communicate that it is ok to feel a particular way about a situation, but it does not necessarily warrant immediate response or action. In fact, the moment that overwhelming feeling is experienced, encourage them to take a second and start to evaluate why. Are the attackers asking the user to perform some action or else something dire will happen? Are they trying to pique interest in a known topic the target talks about openly on social media?

Attackers use what they know about you to get you.

In a world of sharing one’s thoughts and interests publicly via a multitude of social media outlets, gaining insight into how someone “feels” about a specific subject matter is easier than ever before. Social media companies even work together to allow users to share this information across platforms with such ease it is almost inevitable that you will find a topic of interest for almost anyone if you look hard enough. Those bits of personal information can be and have been used with such success there is no sign of that technique going away any time soon.

To emote is human, and no training program is going to completely remove that tendency, nor should it try to. Instead, embrace the humanity of the situation and instill emotional recognition techniques to understand why a user feels a specific emotion and if that emotional reaction warrants the action that is being requested. If your users are doubtful about the situation, encourage them to ask a colleague’s opinion. It is well worth the time, and your users should be regularly encouraged and rewarded for critically thinking.

Written By: Ryan MacDougall


As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com.



The post Social-Engineer Newsletter Vol 07 – Issue 99 appeared first on Security Through Education.

*** This is a Security Bloggers Network syndicated blog from Security Through Education authored by SEORG. Read the original post at: