Social-Engineer.com's newsletter is a useful source of information about social engineering methods. The latest issue outlines some of the tricks used by phishers to lure their victims initially.
"It is not breaking news that phishing is the leading cause of data breaches in the modern world. It is safe to ask why that is the case though, given how much of this email gets caught up in our spam filters and perimeter defenses. One trick sophisticated attackers use is triggering emotional responses from targets using simple and seemingly innocuous messaging to generate any response at all. Some messaging does not initially employ attachments or links, but instead tries to elicit an actual reply from the target. Once the attackers establish a communication channel and a certain level of trust, either a payload of the attacker’s choosing can then be sent or the message itself can entice the target to act."
That same technique is used by advertisers over the web in the form of lurid or intriguing headlines and images, carefully crafted to get us to click the links and so dive into a rabbit warren of further items and junk, all the while being inundated with ads. You may even see the lures here or hereabouts (courtesy of Google). Once you've seen enough of them, you'll recognize the style and spot the trigger words - bizarre, trick, insane, weird, THIS and so on, essentially meaning CLICK HERE, NOW!
They are curiously attractive, almost irresistible, even though we've groped around in the rabbit warrens before and suspect or know what we're letting ourselves in for. But why is that?
'Curiously' is the key: it's our natural curiosity that leads us in. It's what led you to read this sentence. Ending the previous paragraph with a rhetorical question was my deliberate choice. Like magpies or trout chasing something shiny, I got you. You fell for it. I manipulated you. Sorry.
There are loads more examples along similar lines - random survey statistics for instance ("87% of X prone to Y") and emotive subjects ("Doctors warn Z causes cancer"). We have the newspapers to thank for the very term 'headline', not just the tabloid/gutter press ("Elvis buried on Mars") but the broadsheets and more up-market magazines and journals, even scientific papers. The vast majority of stuff we read has titles and headings, large and bold in style, both literally and figuratively. Postings on this blog all have short titles and a brief summary/description, and some of the more detailed pieces have subheadings providing structure and shortcuts for readers who lack the time or inclination to read every word ... which hints at another issue, information overload. Today's Web is so vast that we're all sipping from the fire hose.
And that reminds me: intriguing imagery is another manipulative technique to grab us by the wotsits. The fire hose is a highly visual analogy: it conjures-up a dramatic scene in your mind, so effectively that an actual picture of a gushing hose would be crass. I wrote yesterday about word clouds, and through this blog we've shared a few of the creative posters that accompany the NoticeBored security awareness materials every month.
We also use colorful mind maps, process diagrams, flow-charts and so on for the same reason - to intrigue and so grab the reader's focus for a moment, to impart useful information, and so to inspire, motivate and entertain. Some of us like written words, some prefer pictures, and others like to be shown or directly experience stuff first hand ... which is why we also provide seminar slide decks, case studies and briefing papers. It's an immersive approach to security awareness.
But time is precious so that's it for today. Thanks for dangling on my hook. I'm letting you go now. Swim free.