How Hackers Use Your Brain Against You in Phishing Attacks

By: Marco
April 12, 2023

Maybe there are some people out there who are still participating in those “fun social media posts” that ask you the make and model of your first car, the name of your first pet, the street you grew up on, and other common password reset questions, but not you. 

You’re not going to fall for a hacker’s schemes…right? 

Don’t be too sure. Today’s hackers are learning how to overcome your skepticism, and they’re using psychology to do it.

10 Cognitive Biases Hackers Use to Overcome Your Defenses

1. Present Bias/Hyperbolic Discounting 

You want to save money this year, but all of a sudden you see a great deal on something you like, but don’t need. Plus, that special deal is available only if you act NOW! We’d all like to think we don’t fall for this one, but many of us do. Our brains favor short-term rewards over long-term ones. 

What’s worse, some of those truly incredible deals online aren’t credible at all. They’re scams. Remember, if something sounds too good to be true, it probably is.

2. Authority Bias

People are more likely to do something if an authority figure tells them to. And we’re more likely to believe someone who poses as an expert. But that “expert” or “authority figure” may, in fact, be a hacker who’s trying to get you to click on a malicious link or download malware. Beware of any emails containing links or attachments that you don’t know are coming your way, even those that appear to be coming from your CEO. And when in doubt, double-check. According to the FBI, CEO fraud has cost businesses $26 billion, in part because our brains are naturally engineered to fall for it.


3. The Halo Effect

Hackers also try to pass themselves off as well-known and respected companies or celebrities so they can take advantage of the positive impressions you have of certain people or brands. 

The most frequently impersonated brands of 2022 include LinkedIn, Microsoft, DHL, Amazon, and others. 

4. The Recency Effect

You probably remember the last big weather event that was on the news. But which was the one right before that? Where was that flood again? You’re more likely to remember the information you received recently, which is why hackers often reference recent events in their schemes.  

Remember that awful South Korean crowd crush back in 2022? By the way — if you’re struggling to remember, you’ve just experienced the recency effect firsthand. Anyway, soon after it happened, North Korean-sponsored hackers used that tragedy to try to get internet users to download their malware. 

5. Loss Aversion/The Endowment Effect

The pain of losing something is twice as powerful as the pleasure we feel when we get something, even when that “something” is basically the same thing. For example, most people would feel more sadness if they lost a hundred-dollar bill than they’d feel happy if they found an extra $100 in their paycheck. 

Savvy hackers (and marketers, for that matter) know that if you feel that something is already yours, you’ll feel more upset if it’s then taken away. 

Let’s compare these two offers: 

  1. "You've just won a free $100 gift card! Claim it by clicking on this link in the next five minutes!” 
  2. "Click here to get a $100 gift card!"

If you found the first offer more tempting, that’s your loss aversion bias hard at work. 

6. Habit

Let’s say every Monday morning you read your company’s weekly newsletter. You skim through it, looking for the report that you always click on next. If that newsletter read slightly differently on a given Monday, would you catch it? Habits are things you do so often that you do them without really thinking, and hackers are counting on that. 

7. Optimism Bias

Rose-colored glasses have a dark side. We humans are likely to overestimate the possibility that something good will happen and to underestimate the likelihood that something bad will happen. For example, many owners of small to midsize businesses mistakenly believe that hackers don’t pose a significant threat to their business. Unfortunately, the reality is that these businesses are actually a hacker’s preferred target

8. Curiosity Effect 

It killed the cat, you know. Hackers have been known to send out emails that appear to be sent to your inbox by mistake, containing a link to very tempting information, such as the entire company’s payroll. But that email was no accident. It was purposefully composed to tempt your natural curiosity, and the only “Oops!” would be yours if you click the link.

9. Ostrich Effect

Oh no! You just saw an alert that your computer has 150 major viruses identified! You know reusing passwords is against company policy, and these viruses may be your fault. Good thing this pop-up contains a helpful link to clear them up in seconds! Unfortunately, that pop-up is probably a scam, but it’s playing on your natural desire to hide your head in the sand in order to avoid something unpleasant. 

10. Overconfidence

This last one doesn’t get a mention in a lot of blogs about cognitive bias and how it relates to cybersecurity, but it’s a doozie. Back in 2017, scientists at the University of Texas found that many participants were lulled into a sense of security, assuming that they were smarter than hackers; unfortunately, their overconfidence actually made them more susceptible to being duped. 

Overconfidence still plays a huge role in our susceptibility today. Many phishing emails lack the spelling and grammatical errors that once made them easier to spot,  and cybercriminals are getting better at using our own brains against us. 

What Helps Protect You From Spear Phishing, Malware, and More? 

Many of the most common threats to small to midsize businesses are the byproduct of phishing and email compromise. And while many employees likely assume that a business’s firewall and other tools are sufficient protection, a careless click by a rushed or distracted employee can lead to catastrophe. 

A successful security awareness training program can transform your staff from your greatest cybersecurity liability to your best line of defense, which is why this training is considered a vital component of cybersecurity best practices by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). 

If you don’t yet have a security awareness training program, you don’t have to design one from scratch. For more information on how often training is needed and what content should be included, check out our blog below! 

Learn More About Security Awareness Training

Topics: Security