Phishing

Phishing – Are you Susceptible? (Part 4)

Welcome to the fourth blog in a series of blogs discussing phishing and social engineering – and ways of protecting yourself from hackers. Today, we’ll be one of the theories (which we subscribe to) of why emotion causes us to not think critically, Amygdala hijacking.

Bullet Point Summary

  • Emotion is the enemy. When we feel emotion based on an email, immediately consider the email to be suspicious.
  • Amygdala hijacking is focused on the amygdala, the part of the brain responsible for processing emotion.
  • When we encounter something that causes emotion, the amygdala hijacks processing power from other parts of the brain to process this emotion, specifically the critical thinking center of the brain.
  • This is why we make bad decisions when we are emotional.
  • This is also why we shouldn’t click links when we are emotional.
  • And we recommend deleting any email that generates emotion.

Recap

In our last blog, we discussed how to analyze links.  We discussed some of the differences between legitimate and non-legitimate links.  Most importantly, we finished our discussion last week on the need to focus on emotion instead of solely on analyzing links.

Remember

Remember this point – only if we can deal with the emotional response that emails can trigger, can we even remotely come close to being able to distance ourselves from the email in order to do the type of analysis we talked about in the last blog.

Christopher Hadnagy

Christopher Hadnagy, a consultant with social-engineer.com discussed in his book, Phishing Dark Waters, a theory known as Amygdala Hijacking. We subscribe to this theory and believe it’s important to understand in order to emphasize emotion as one of the main vulnerabilities hackers try to exploit.

Theory Explained

The amygdala is the part of the brain responsible for processing emotion.  When we encounter something (in this case an email) that causes emotion, the thought is that the amygdala goes into autopilot to process this emotion.

In doing so, the amygdala requires extra processing power to process the emotion, and hijacks processing power from other parts of the brain, specifically it hijacks processing power from the critical thinking center of the brain.

Which means that an email that states your Amazon.com account has fraudulent activity, or that emails have been quarantined, or that you’ve won a Macy’s $1000 gift card, generates emotion, fear, urgency, panic, greed (getting something for free or winning something).  And since you would be in an emotional state with processing power being drawn from the critical thinking center of the brain, we would no longer be thinking critically.

If we aren’t thinking critically, can we analyze a link?

The answer is no.

What’s the answer then – Zen?

The answer is going to sound almost Zen-like :).  Understand yourself.  Understand the signs of emotion, increased heart rate, sweating, etc.  Understand how you feel when you have emotions like fear, greed, urgency, panic, sympathy, empathy.  Understanding is the first step.

What next?

The moment you receive an email that generates emotion, it should be considered suspicious.  I would say it’s an email that should be deleted right away.  However, if you’re unsure, it should be a standard rule that the email should at least be closed until you’ve had an opportunity to “calm down” and eliminate the emotional response.

Once you’re able to think critically again, it’s possible to look at the link even further.

But, if you want true protection from phishing attacks, if you feel emotion based on an email, delete the email and stop any chance of being hacked.

Always Remember

Remember, emotion will reduce your ability to think critically and cause mistakes. Understand yourself and learn to recognize the warning signs or when you’re feeling emotion based on an email.

Next Blog

In our next blog, we’ll discuss spear phishing attacks where hackers send an email and make it look like it came from someone you know, or even from you.

Author

This article was written by Kaushal Kothari, President of Secure Guard Consulting, LLC, a cybersecurity / IT audit and consulting company. Kaushal is a former FDIC IT examination analyst and certified ethical hacker with 15+ years of experience in the technology field.