It was in my first corporate role, at a bank, when I first became a cybersecurity threat to myself. I had just come from a meeting with a senior manager that I was eager to impress when I got a personal email from her, asking me to open a file. To open it I had to enter my Gmail credentials, but I didn’t think anything of it because the message seemed urgent, and I was desperate to make a good impression at that job.

Two hours later, I was fielding messages from all my Gmail contacts who had received similarly urgent messages from me asking for their credentials. I had been phished, and the attackers had control of my account until I was able to change my password. This experience taught me that my emotions, in this case ambition and slight — or extreme, let’s be honest here — desperation, could pose a cybersecurity threat.

You may be wondering what type of moron would ever enter her Gmail password into a third party website? Yes, me, but also CIO’s, busy C level executives, even IT folks. Pretty much anyone in possession of basic human emotions is vulnerable.

Phishing is a play on human emotions

Phishing scams can work on anyone who trusts their company’s information security team. They can work on anyone having a weak moment. They can work on busy people who have a compelling reason to quickly comply with requests. Sounds a lot like the vast majority of people who are employed anywhere, doesn’t it? And indeed, my cousin, who is a CIO, seems to have recently fallen victim to a phishing scam on Facebook. Because all it takes is one weak moment, and weak moments don’t care how far up you are in the hierarchy. And in fact, busy executives are prime targets for “whaling” campaigns, in which phishers attempt to spear the biggest fish, due to their perpetually frazzled states and ample permissions.

The fascinating thing about phishing is that it doesn’t require exploiting a code vulnerability, but rather exploiting human emotions. If you can catch a frazzled person with an urgent message at a weak moment, you’re golden. And as companies sign off on ever-expanding cybersecurity budgets, there’s one vulnerability that all the encryption, firewalls, and identity and access management cannot remove: human emotions. (Until the singularity, that is.)

By some estimates, 91% of data breaches are a result of phishing scams. That’s pretty bad!

From phishing to social engineering

Phishing first rose to prominence in the hacker culture of the 90s, when hackers would steal AOL account credentials. Phishing became a part of hacker culture along with phreaking, which refers to the exploitation of telecommunications systems, often with the goal of stealing a dial-up internet connection or making long distance calls. The phisher’s MO was to target a large number of people in the hope of getting a few who didn’t yet know what phishing was, or were not paying attention. Though most folks now know what phishing is, little has otherwise changed. And we don’t seem to be getting better at avoiding phishing attacks either: last year, Grant MacEwan University in Canada lost nearly $12M in a phishing scam. So hackers can still catch a few people off guard, though their methods are slightly more sophisticated these days.

Social engineering is one of these more sophisticated techniques. It’s not always done digitally, and it’s even more dangerous because it involves the exploitation of those pesky human traits that we call trust, desire for human connection, and faith in humanity’s essential goodness.

Social engineering can encompass things like gaining access to a physical environment, winning someone’s trust over the phone, or, increasingly commonly, getting victims to reveal privileged information over email. Messages will be personalized, and hackers will try to exploit any human vulnerability they can, including our deferral to hierarchy and our eternal weakness for free money.

A social engineering scam might attempt to gain your trust by posing as an authority figure, colleague, or client, and instilling a sense of urgency in the victim. At the core of a social engineering scam is the assumption that humans want to believe the best of each other. Always having our guard up is exhausting, so we look for clues to verify that the people approaching us are who they say they are so that we can let our guard down. (Or get that free money. Never forget the free money.)

Keeping yourself safe

So how can we strike a balance between our innate desire to trust others, and the inherent risk involved in doing so? Here are some gentle suggestions:

  • If someone emails you telling you that all you need to do to get your inexplicably large tax refund is to enter your banking information into a random third party website….don’t.
  • If a cousin who hasn’t talked to you in ten years messages you on Facebook with a suspicious link that requires you to provide Facebook credentials to view….don’t.
  • If your dad randomly texts you asking for your Social Security Number…..ok so this actually happened to me, and it wasn’t a phishing scam. It was my dad being weird. But I called him to check and then told him over the phone. He praised me for being so cautious, but…really, dad?!
  • Do not click a link that you’re not expecting to receive. And if you are expecting it but don’t really want to deal with it, don’t click it and then accuse your colleague of phishing you.
  • If something seems off – a client you have never talked to before is being too familiar, or someone who claims to be an IT administrator is pressuring you for privileged information, something probably is off. (Either that, or you need a new job with a nicer IT department.)
  • If someone emails you with a work from home opportunity trading Bitcoin, that’s not a thing. (But if you hear of any work from home jobs that involve doing nothing at all, please email me with the link.)

But seriously – as you can see from the examples above, all that’s really needed to avoid most phishing scams is a mindset of reasonable vigilance. Don’t click links you aren’t sure of, don’t enter information into third party websites, and don’t let a stranger — no matter how handsome! — into your office or building. In other words, don’t let emotions override caution.

Does it suck that you need to be on the lookout for people posing as your friends, colleagues, and loved ones in order to get access to your 124 Facebook friends and 62 Gmail contacts? Most definitely. (And yes — I have vanishingly few Facebook friends. Please do not judge me.)

But the good news here is that the cybersecurity field is actually doing a fantastic job of keeping up with the hackers, all things considered. Now it’s up to the humans in this equation to do our part.