A common, but often overlooked reason, why users keep on falling for phishing scams is because they often rely on false trust cues. Let me explain. A user might inadvertently land on a phishing website. Up on the right hand corner of their browser’s address bar, they see an icon of a closed padlock. Now they might believe that if a closed padlock icon appears in their browser's address bar – it must be safe. So, they so enter their information. Or, they get an email which looks professional and well designed. It has a recognisable logo on it. All these subtle cues can make a website feel "safe" making users more liable to divulge information. Likewise, they might get a URL (web link) in an email which is connected to a domain like forms.google.com or windows.net. Now they might be thinking “there is no way Google or Microsoft would allow a dodgy website on one of their servers?” So, again users are liable to enter their credentials. Or, when examining the URL of a website, they see the word “secure” or “encrypted” which can be perceived as trustworthy.
False trust cues can also be exploited in phishing emails by mentioning an entity of authority in the email. A request can be made ten times more effective if the recipient believes it has come from one of their managers or their boss. Or, it might purport to be from a government entity. Want to target users in the construction industry? It’s easy for cyber criminals just drop in the logo of an entity such as the Health and Safety Authority into the email. Want to target business owners? – just use the logo of the Revenue Commissioners.
Practical Implications of False Trust Cues in IT Security Awareness Training
1) Users need to be aware of the perceptual biases that can occur when deliberating over whether or not to open an email attachment or URL
Provide your users with plenty of real-life examples of how social engineers exploit false trust cues.
2) Users should understand how false trust cues such as padlock icons in browsers can be easily faked. Users should understand how reassuring words like “secure” or “encrypted” can be used in spoofed domains to give a feeling of security.
3) Users should be encouraged to examine their own cognitive processes when examining an email or URL. This can also make for a great group discussion. You will be surprised at some of the other trust cues which users rely on in assessing the security of online resources.
4) Users should be educated on how seemingly trusted phone numbers which appear on their caller-ID can be easily spoofed using IP-telephony.
5) The concept of false trust cues can also be extended into our off-line lives. People have had their house burgled in broad daylight but the neighbours did nothing because they burglars were wearing high-visibility jackets. Likewise, many an office has been robbed in broad daylight by burglars posing as delivery or maintenance personnel in high-visibility jackets. This is an easily accessible and concrete example of how false trust cues deceive people and it makes for a really interesting group discussion. The concept of trust cues also makes your users think about IT security in a different light but also in a much more profound and memorable way.