As a security awareness professional, I spend a lot of my time trying to convince people that they’re susceptible to phishing attacks. It’s a tough argument to advance, as lots of people refuse to listen. The mere suggestion they might be vulnerable to a scam comes across like I’m making a personal attack. I’ve had people become indignant, even aggressive at the idea. I hear a lot of variations on: “How dare you suggest I’m mentally feeble or somehow unable to recognize a lie?” That’s never what I’m trying to express, but if we’re going to be painfully honest, the answer to that strawman argument is “Yes. I dothink that you and everyone else are sometimes unable to recognize a lie sometimes.” People hate hearing that answer. It is, however, true.
Put bluntly, people are inherently susceptible to phishing lures when they’re fatigued, distracted, or emotionally charged. Being in any of those states degrades one’s focus – the critical capability required to spot the clues that give away a phishing attack – and therefore makes a victim more prone to reacting immediately to a provocation before engaging in critical thought. This is why scammers pay attention to current events and attempt to scam us while we’re especially vulnerable.
Let me approach this from a completely different metaphorical angle and see if I can make this make sense without calling anyone’s “competencies” into question.
Back when I was an Army officer cadet, we spent most of our field time patrolling. You’d think that cadets would spend most of their time practicing “drill and ceremonies,” marching on the parade field in perfect synchronicity. In reality, it doesn’t take long to learn to march. You might instead think that cadets would spend their time on the rifle range, learning to become expert marksmen. That, too, tends to get short shrift. Range time is expensive and hard to schedule.
In reality, we spent most of our field time practicing the art of light infantry patrolling: we’d form up in squads or platoons and practice sneaking through dangerous territory in files and wedges, trying to locate “enemy” forces before they found us. We practiced marching overland and sneaking through difficult terrain, in all sorts of bad weather, mostly at night and twilight.
That last part was considered one the critical skills to master as future subalterns: we needed to know how to lead soldiers silently, in the dark, when danger was all around us. Not because it’s challenging and terribly exciting, but because it reflected our tactical doctrine at the time. As NATO forces squared off with our counterparts from the Warsaw Pact, it was assumed that each side would hold most of their soldiers back whilst small combat teams crept out into disputed territory by night, attempting to find, fix, and destroy one another in small, sharp engagements.
I can’t recall how many hundreds of hours we must have spent practicing night reconnaissance, night land navigation, night ambushes, night infiltration, setting up and relieving observation and listening posts, etc. during my cadet years. I canrecall how fatiguing it was. It’s tough to spend an entire day working and then kit up right before sundown to skulk around the back country all night long. Sneaking around at three in the morning was no picnic.
That was one of two main reasons why our training cadre insisted we spend so much time on night patrolling. First and foremost, they taught us through inculcation how fatigue degrades performance. The later into the night we marched, the more unfocused and clumsier we became until we reached the point of stumbling incompetence. I still have scars from the time I dove prone into a fire ant mound because I was too tired to realize I’d drifted out of position.
I vividly remember one company-sized night advance where we were supposed to attack an “enemy” dug into a hillside. After a map reading error (NOT mine, thank you!) caused us to waste hours wading chest-deep through a swamp, we missed our rally point and couldn’t find the “enemy’s” position. Our exasperated cadre finally threw in the towel at three a.m. and ordered us to laager up for a few hours so that we could reform and attack right before dawn. Two hours later, one of our cadets got a bit loopy on watch, started screaming incoherently, and emptied his magazine into the night. It took several very large (and hugely annoyed) grunts to wrestle the sentry’s rifle away and sit on him until he mercifully passed out. [1]
As the senior cadre officer lectured us the next morning, this was entirely to be expected: “the more fatigued you are,” he said, “the more amateurish mistakes you’ll make.” Tactical sleep plans, hydration and feeding breaks, physical fitness, and practice all helped to extend a soldier’s endurance, sure, but every trooper has their limits. Push a person too far, and they will eventually malfunction. It’s not a matter of intelligence or courage or strength; it’s simple biology.
That led to the second reason why our training cadre insisted we spend so much time on night patrolling. Under normal circumstances, the defender in an infantry-on-infantry fight always has the advantage. While the attacking force is advancing, the defender is dug in behind cover and concealment, rested and ready. Convention wisdom says that one defender can repulse an attacking force smaller than five times its own size. That’s generally true … during the day.
Night-time, however, changes everything. In infantry fighting, the cadre preached, the attacker usually has the advantage at night. Since neither side can see, and since both sides are probably equally fatigued, the side initiating the action controls the battle. The attacker acts while the defender reacts. The attacker has a shared plan, while each defender acts in isolation during those crucial first few moments when the clash throws everything into confusion. People make mistakes when they’re forced to react, suddenly, without knowing the extent of what’s happening.
This, our instructors drilled into us, is how you “win” against a trained defender: hit them when they least expect it, like in a driving rainstorm, or a half hour before sunrise. Rush them and exploit their natural confusion. If you hit the enemy fast enough and hard enough, you’ll carry the day even if you’re outnumbered, out-gunned, and/or out-classed.
That, in essence, is the central tenant of phishing attacks, too: the lure in your message doesn’t have to be exceptional. A “good enough” phishing attack will defeat trick your victim provided you deliver it while your victim is fatigued, distracted, and/or confused. Your lie only has to convince your victim it’s true long enough to compel them to follow instructions. By the time they recover their wits and realize they’ve been swindled the damage has (hopefully) been done.
This is why scammers pay very close attention to current events and play on themes related to what has people most upset at any given moment. New COVID strain? Craft a lure about vaccine failures. Stock market crash? Craft a lure about buying into cryptocurrencies. Angry demonstrations downtown? Craft a lure about violence in the suburbs and offer your victim a “real time map” … just click here. It’s all timely and accurate exploitation of powerful emotions.
The thing is, scammers aren’t restricted to just preying on current events. At any given moment, a significant percentage of any population is going to be fatigued, distracted, and/or emotionally charged … because we’re people. They know that if they hit us while busy thinking about something else – something important to us – we won’t be in a position to pay close attention to their lure. We’ll be vulnerable to a lie that’s just good enough to pass muster for a few seconds and then … WHAM! They’ve got us. All they need do is use our own foibles against us.
We need to accept this uncomfortable truth. I realize admitting that you too can tricked by a mundane phish can be mortifying. The thing is … until we come to terms with this and commit to deal with it, we’re all going to remain vulnerable to phishing. It’s not a personal failing; it’s a fundamental attribute of the human experience. If we want to keep our networks free of ransomware and our bank account information off of the “dark web,” we need to soberly acknowledge our inherent human weaknesses and adapt our inbox management behaviour to mitigate them.
It was hard to hear that as soldiers, too. A culture built on ideals of strength, pride, and competence naturally resists ideas like “if you allow yourself to get too tired, you’ll screw up and let yourself get beat on the battlefield.” It was embarrassing to learn, but it was a lesson we had to wholeheartedly embrace if we intended to keep our soldiers alive in some future conflict.
Managing your inbox might seem nearly as heroic as soldiering, but excellence is excellence no matter where it takes place. Protecting your company’s viability from the threat of cybercriminals is darned important, too. Swallow your pride and save your job.
[1] The “enemy base” we were supposed to attack turned out to be less than 75 metres away from where we’d laagered up. Our opponents couldn’t mount an effective defence, as they were too busy dying laughing from the site us of glassy-eyed zombies stumbling directly onto their position whilst trying to reform platoon order. Oh, boy were we a sorry sight …
Pop Culture Allusion: U.S. Army Field Manual 7-70, Light Infantry Platoon/Squad, September 1986. Now available for sale on Amazon because that’s just how things are now.
