Trust, Urgency, and Authority – A Cybercriminal’s Handbook to Stealing your Information

Cybercriminals prey on wide swaths of the population, and they do it by leveraging Trust, Urgency, and Authority. You don’t need to know how to pick a lock when you can convince the guard to let you in. One weak link can break an entire chain, and in the world of interconnected devices, the human element is often that weak link.

TRUST

By posing as an email or link sent from a trusted contact (friend, family or business), we are less likely to question the source and validity of the information we receive.

URGENCY

Creating a sense of urgency by requesting an immediate action (provide assistance, take down an unsavory photo, avoid a late fee, etc.), we are less likely to double check the source.

AUTHORITY

When given the impression that we are receiving information from an authority (say our bank, business colleague or superior, etc.) we are subconsciously placed into a position of following instruction and less apt to pick up on subtle irregularities.

Combining all three of these creates a combination that many of us can easily fall victim to. “The CEO” emailing a busy employee to process a wire transfer on a Friday afternoon. “The Romantic Partner” who needs money to pay for a surgery. “The Tech Support” person who will charge a fee to remove a fake virus from your computer. If a cybercriminal thinks that they can establish Trust, Urgency, and Authority in a situation, they will leverage it against us.

How Do We Protect Ourselves?

Two great ways to protect ourselves online are to take things slow and make things slow. When we slow things down, interactions typically become more secure. Think of ‘measure twice, cut once,’ ‘haste makes waste,’ or the other litany of adages we grew up hearing. It’s the same online.

Take Things Slow

Humans make mistakes when we go quickly. When a cybercriminal attacks, they want everything to feel as urgent as possible. Like a magician performing a trick, they want to draw your attention away from what is going on behind the scenes.

Confirm Verbally
Did you get an unexpected email from a coworker or friend with instructions to click on a link or open a file? Call them and be sure that they sent it to you first.

Look Before You Click
Hover over links to get a preview of where the link is actually taking you. Do not just assume that what you see as the link name is the destination you’re going to. For example, try hovering over this link http://www.facebook.com/.   When in doubt, don’t click.

Make Things Slow

Security and convenience rarely go together when it comes to cybersecurity. Think about your house; sure it would be a lot faster to get inside if your front door did not have a lock, but you might run the risk of intruders getting in while you’re away.

Make passwords long, complicated, and unique

Consider using a pass phrase in lieu of a password and add special characters and numbers.  For example, it might be easy to remember something like:

“I should use a strong password” can then become, “IShouldUseAStrongPassword” and finally evolve into, “I$houldUse@StrongPassword!”.

It’s much easier to remember a phrase compared to a random combination of letters and numbers, and significantly harder for a cybercriminal to hack.

Have a unique password for each website so that if one becomes compromised, the rest of your accounts should remain secure. If it gets cumbersome to commit passwords to memory, you can also consider using a password manager tool or app.

Keep in mind the balance between security and convenience; if you’re going to have all your passwords in one place, then the password to get into the vault better be secure!

Use Dual Factor Authentication

Dual Factor Authentication (DFA) allows you to use a secondary device (like your phone) to confirm your identity when logging in. Many websites offer this extra level of security and just need to be turned on in your settings. Yes, it is a bit tedious, but the extra layer of security is invaluable.

Be Wary of Public (or unsecured) Wi-Fi

Who doesn’t enjoy stopping into a coffee shop, ordering a little lunch, and cracking open the laptop to respond to a few emails? Remember, if it’s convenient, it’s probably not secure.

If you must use public Wi-Fi, be sure to limit your time to what is essential. If it can wait, it’s best to let it wait.

What If I Become a Victim?

Sometimes things go wrong, and against our best efforts, we make a mistake. In instances like these, the faster we can act, the more likely we will be able to resolve the situation. If you or someone you know becomes the victim of a cybercrime, please report the incident to the FBI’s Internet Crime Complaint Center (IC3).

Beyond reporting the criminal complaint be sure to also:

1) Change your account password,
2) Check for any rules or automation tools which may still be in place (i.e. email forwarding stays in place even after you change your password),
3) Review your security questions and recovery email options to be sure they were not changed,
4) Let your contacts know that your account was compromised and that they should be wary of any recent contact, and
5) Consider adding other security measures like dual factor authentication if not already in place.

If that all sounds like a lot of work, it’s because it is. A not so subtle reminder that in the world of cybersecurity an ounce of prevention is worth a pound of cure!