Intro to Deceptionology: Why Falling for Scams is Human Nature
We live and work in a world that is marked by an entire spectrum of deceptive possibilities and applications. From misleading and factually incorrect posts on Facebook to influencers peddling scams, to impersonated deepfake videos, images and audio clips. Why do these forms of deception proliferate? Because humans are vulnerable to this type of messaging, and hackers know it.
Hackers and cybercriminals continually ping our cognitive vulnerabilities because we’re not the rational beings we like to think we are. We fall for their scams, and, in the process, we help them line their pockets.
The Study of Deception
As the name implies, “deceptionology” refers to the study of deception. Deception is a core component of many cyberattacks, including phishing, social engineering, and disinformation campaigns. By studying deceptionology, we gain a better understanding of how threat actors exploit human nature to their advantage.
Developing this understanding — and helping your organization and its employees do the same — can go a long way toward thwarting the pervasive cyberattacks and scams that are so widespread these days.
Let’s take a look at a few important principles to help build defenses against deception and human-centric cyberattacks.
System 1 and System 2 Thinking
Daniel Kahneman, a Nobel Prize-winning behavioral economist, first described the two modes of thinking called System 1 and System 2.
System 1 thinking defines our gut reactions, our intuitive responses to the world around us that drive us to action or snap judgments. Our responses are driven by urgency, fear, curiosity or greed. System 2 thinking defines our more logical thinking — the voice of reason that causes us to pause and question our first, intuitive responses.
We’re more likely to engage in System 1 thinking because it requires less time and when we are in a hurry or overloaded. To harness the more cautious System 2 thinking, we have to deliberately apply conscious effort and mental energy. Understanding how these two systems work and interact can help us be more alert to the negative influence of scammers — to slow down and think carefully and logically before reacting.
The OODA Loop & How it is Hijacked
Another useful model for helping us ward off cyberattacks and hackers is the OODA Loop, developed by John Boyd, a military strategist. OODA stands for Observe, Orient, Decide and Act. That’s the process our minds go through, instantaneously and many times a second, as we interact with the world around us.
Hackers attempt to compromise this loop, manipulating what we observe, and attempting to influence the decisions we make and actions we take. These attempts are often referred to as social engineering — attempts to influence human behaviors as they interact with technology. Social engineering can be used to exploit the human elements of the OODA Loop to bypass our security awareness.
For instance, let’s consider an example of hackers sending a phishing email that looks like it came from your bank in an attempt to access your private credentials.
- Observe: You see that you’ve received an urgent message from your bank.
- Orient: You understand that your bank is sending you a message to help protect your account.
- Decide: You decide to click the link.
- Act: You enter your credentials on a fake, spoofed website.
How can we thwart these attempts? Here’s a look at the steps you want to take — and educate your organization to take.
Thwarting Cyber Attackers and Hackers
Understanding the manipulative tactics used by cybercriminals can help build defenses to protect your organization’s systems and data. That’s the first step. Here are some strategies to help ward off deception and attacks:
- Practice mindfulness. Train yourself to be quick to evaluate but slow to act. Mindfulness can help you take full advantage of System 2 thinking.
- Use the SIFT method. Stop. Investigate the source. Find trusted coverage. Trace to the original source. SIFT is a simple framework to help ward off attacks.
- Look for contradicting viewpoints. Deliberately expose yourself to perspectives that are different or in contrast to your own. Explicitly nurture a skeptical nature.
- Recognize emotional triggers. We all have them. Understanding your own personal vulnerabilities can help protect yourself from manipulation. Are you an overly anxious and impatient person? Someone prone to clickbait?
- Verify before sharing. When we share misinformation or forward a phishing email, we amplify the potential for damage. Instead, verify the authenticity and accuracy of information before passing it along.
As the saying goes, speed kills. Outsmarting bad actors is all about slowing down and being self-aware and mindful of how you perceive and act. In this case, remember how hackers are highly likely to use social engineering to steal your private credentials and take the time to evaluate that urgent message you just received.
