How cybercriminals exploit the way we make decisions

By Brent Snow and Sean Murray | September 20, 2022

Knowing about decision traps can help you outsmart the bad guys to protect yourself and your organization

With special guest contributor Candice Carter

This summer, Brent’s 92-year-old mom was hit with COVID. About the same time, she was hit with a computer virus from a phishing attack.

Thankfully, she wasn’t severely impacted by COVID. However, she was very much impacted by the phishing attack. Everyone in her email history and address book got phishing messages, and some of her important online financial and health accounts were at risk of having been compromised.

Brent’s family had her immediately shut down her computer and take it to local technicians to be professionally wiped of malware and viruses. They also worked with her to change all of her passwords and switch to a different email host, which required her to drop her beloved AOL email address of 20 years, rebuild her address book, and try to retrieve precious past emails without re-triggering the malware.

This process took her offline for more than two weeks and essentially cut her off from her kids, grandkids, friends, and community.

While we have no idea what link or phishing email she had clicked on, we know it was likely something that made complete sense to her and to which she reacted quickly. She had been well schooled on what not to respond to or click on, and she is in full command of her faculties. We suspect the cybercrooks likely hacked into her decision-making processes by exploiting one of several possible mental shortcuts that any of us could fall prey to.

For her, the impact was two weeks of hassle and being cut off, plus a bit of embarrassment. For organizations, the impact can be much more significant – loss of customers, reputation, trust, money, jobs … the list can be long. A recent IBM benchmark study put the average cost of a data breach in 2022 at $4.35 million.

Mental shortcuts can create errors

We make a lot of decisions each day, whether or not we are aware of them. Depending on how a “decision” is defined, the daily number can creep into the thousands. Although we may believe most of our decisions are rational, cognitive science shows that we are often far less objective than we think. Our brains use mental shortcuts to preserve cognitive resources whenever it can. These shortcuts do not necessarily reflect reality or rationality, but we rely on them to expedite and simplify information processing. In fact, we use them so frequently and effortlessly that we do not even realize we are doing so.

While these mental shortcuts help us deal with the complexities of life, some can negatively impact our decision-making. We call these shortcuts “decision traps.” What’s worse, these decision traps are predictable, which means cybercriminals can exploit them and trick us to gain access to our sensitive data. Not surprisingly, cybercrooks continue to become more sophisticated in their use of social engineering techniques to exploit these decision traps.

When we better understand how these traps work, we can anticipate how cybercrooks might attempt to take advantage of us. This knowledge can help us not fall prey to their tricks. In short, knowledge is power to help us thwart cybercriminals by being ready for their ruses and outsmarting them in advance.

Decision-making traps and cybercrime: Cartoon of knight guarding office door - He really takes IT security seriously

7 common decision traps and how you can prevent cybercriminals from exploiting them

1. Confirming Evidence Trap

What it is: We tend to favor information and facts that support beliefs and assumptions we already hold. On the flip side, we avoid seeking disconfirming evidence and often seek to discredit information that contradicts our beliefs.

How cybercrooks exploit it: If a cybercriminal knows that we are predisposed towards a product, cause, or belief, it is much easier to get us to click on a link that purports to support and bolster that product, cause, or belief, or to click on a link that discredits the opposite view or belief.

Knowledge is power: Be wary of emails, texts or other communication from unknown sources that line up too perfectly with things you believe, like, or favor. Understand that cybercriminals try to build a bridge to suit you based on common interests they have identified.

Information security tip: Move your cursor over a link (don't click!) to hover over the URL to reveal the actual destination of the page it connects to. If the link text says you are going to “Amazon” but the actual link URL looks something like this —http://amaozon.support.com— this is a major red flag.

2. Groupthink Trap

What it is: The Groupthink Trap is the tendency to be overly influenced by what others are doing and giving too much credence to others' opinions and judgments.

How cybercrooks exploit it: Cybercriminals often indicate that many others have benefitted from responding in a certain way, trying to create the expectation that a similar response by you will lead to the same benefit. Or, they gain access to your network of friends and send you something that suggests that your friend tried this, clicked on it, and got a positive result.

Knowledge is power: In our fast-moving world, going along with the group consensus is an easy mental shortcut. When you see a recommendation to click on something from someone you know or from a group or organization you are likely to trust, you should investigate carefully before acting. Reach out to a person via another channel to see if this ‘recommendation’ is really from them.

Information security tip: Always verify the sender before responding or clicking on a message if something feels off. Reaching out to the person via their verified phone number is a quick, additional step you can take to remain secure from a suspicious message.

3. Snap Judgment Error

What it is: Snap judgments are quick decisions we make based on narrow slices of information. We couldn’t get through a day without making hundreds of them, and many are accurate. The errors occur when we unconsciously rely on appearance and other surface attributes that may be misleading, or the inaccurate pre-judgment of information based on the person or the source delivering it. In many ways this trap is one of the most predictable and often exploited decision traps.

How cybercrooks exploit it: One way they do it is by impersonating a figure of authority. For example, they might craft an email that supposedly comes from your CEO or someone in a leadership position pressuring you to fulfill an online task:

“Dear Sean, I want to thank you for being such a great employee. By the way, I have a quick request. Could you…”

Variations on this include a scammer imitating an email from a different department in the organization to gain information from you, and hence you click on an email that has been carefully designed to look like it is an urgent work message from HR, only for it to be a scammer stealing your login credentials for the office.

Another way they exploit this decision trap is by creating fake identities from reputable sources because most people tend to be responsive to people or institutions with an established level of prestige, authority, or power (like a government department, your bank, a law enforcement agency, or an organization with brand power). This is because cybercrooks know that people will often make a snap judgment based on the perceived status or reputation of the sender. (In social engineering parlance, this is also known as building rapport.)

Another way they exploit this trap is by combining name recognition with urgency:

“Hey Candice, can you quickly send me your cell number? I’m at a conference and need to give it to one of the participants who has a question I know you can answer.”

Today we are all moving so quickly, often checking email and messages on our phones, it’s easy to fall victim and respond in a hurry before checking the sender’s address closely. Our brain sees the name of our boss, and we immediately shoot back a response.

Knowledge is power: Be vigilant about giving undue weight to whomever the sender “seems to be” in requests. If you find yourself responding too quickly because you assume you should, given the supposed authority of the sender, slow down and first verify that the sender is legitimate. Also be wary when something is presented as a sure bet. Our snap judgment tendencies can trick us into perceiving it as the best option. Also watch for one-sided phrasing of options when making a choice.

Information security tip: To escalate phishing emails safely, forward the message to “7726” which ironically spells out the word SPAM on most phones. This will launch an investigation into the message by your provider.

4. Loss Aversion / Sunk Cost Trap

What it is: Humans are wired to avoid loss. We also tend to make new choices to justify past decisions and we can be overly influenced by costs or investments from the past that can’t be recovered.

How cybercrooks exploit it: Hackers understand our automatic desire to avoid loss and will indicate that a failure to act or respond will result in some type of penalty, end of a relationship, or loss of status. The malicious messages are framed in such a way that predisposes us to act to avoid the loss. For example, hackers often try to entice us with links to “avoid losing out on this opportunity” or "avoid losing access to your account.”

In terms of the related Sunk Cost Trap, cybercrooks know we are more likely to follow through with something if we have already invested time or money, regardless of whether those costs outweigh the benefits. For example, they may first entice you to contribute a very small amount of money or time, often disguised as an effort to help someone in need. Later, because you already invested a small sum, you are more likely to send a larger amount. This is also sometimes called the “escalation of commitment trap.”

Knowledge is power: Whenever we are presented with something framed as a “loss” to avoid, or when an initial small commitment is all that is being asked for, be wary. Question the legitimacy of the offering.

Information security tip: Consider calling the source or going to the original trusted website to review the request you have been prompted for. It’s much more secure to go to the original source rather than trust a notification with a pressing tone.

5. Information Overdose

What it is: Our lives are filled with computers, mobile devices, apps, email, news from multiple sources, and social media constantly fighting for our attention. This creates cognitive overload and a tendency to always be multitasking.

How cybercrooks exploit it: When you’re tired or you’re not paying attention, you're more likely to click on a link you’d normally avoid. If you’re distracted by too many inputs and also in a rush, you might open an attachment you’d normally ignore, or you might click on a link that seems innocuous. Cybercrooks also know the likelihood that you will do so increases as you become more tired and distracted. One research study found that 41% of employees miss a phish because they are tired and 47% because they are distracted. In daily life, this can translate to falling for a fake email before rushing off to a late-day meeting only to have your payment information phished by a spoof site.

Knowledge is power: Given the number of decisions you make every day, know that later in the day you are more likely to click on a phishing email. Always try to be present and in the moment when processing information. Cybercrooks are aware that the part of our brain that helps us make rational decisions can be hijacked by our amygdala, which is more reactive and fear-driven (see loss aversion above), especially when we are tired, burned out, or distracted. Try to keep your mind active, and watch out for content designed to trigger your emotions such as fear, greed, or curiosity and trick you out of critical thinking. Use your heightened emotions as early warning signs and force yourself to quiet down, focus, and pay attention before you respond or react.

Information security tip: Remember, it’s okay to slow down. Email fatigue is real. Taking your time can help you stay vigilant against cybercrime.

6. Anchoring Trap

What it is: With the Anchoring Trap, we remember (anchor on) one piece of information in a way that potentially skews our judgment on something else.

How cybercrooks exploit it: Many banks now offer an “opt-in” option to get a text alert if there is suspicious activity on your account or if you are in danger of overdrawing your account. So you opt in, knowing that getting notified about such things is good. Unbeknownst to you, this decision to opt in to protect your account becomes an “information anchor” in your brain. Later, a cybercriminal sends you text pretending to be your trusted bank indicating that they need a payment transferred quickly because an overdraft alert has been prompted. Remembering that you opted in (the original information anchor), and because the request seems urgent (triggering Snap Judgment Error) and there might be some penalty if you overdraw your account (triggering Loss Aversion), you respond to the text to initiate the transfer.

Knowledge is power: When you find yourself basing a new decision on some past decision or piece of information, your first instinct should be to take a moment to consider if there has been a prior piece of information that could be influencing you right now. Then take the time to verify the request's legitimacy. When something feels off or the request relates to a prior piece of information you received or made a decision about, it is truly better to listen to your gut and be cautious.

Information security tip: Do not provide personal information or details about your organization unless you can verify the person’s identity and authority to have the information.

7. Availability Trap (also called Recency Bias)

What it is: The Availability Trap is the tendency to give undue weight when making decisions to recent memorable or particularly sticky events, trends, and happenings in the world around us. When news is dramatic, vivid, or connected to something we care about, the Availability Trap can skew our decision-making.

How cybercrooks exploit it: Email isn’t the only tool the bad guys use to phish for your information. Vishing, or “voice phishing” attempts via malicious phone calls are often used to exploit recent information in the news. For example, the pandemic provided ample opportunities for scammers to tap into this trap by offering, for example, free COVID test kits or information about PPE loans. Currently we have lots of news about rising interest rates and volatile stock markets. Think about the opportunities that creates for vishers.

Vishing calls often come from a phone number you may recognize or a local area code. Once they have you on the line, the call quickly escalates to asking for your personal information, such as your name, address, payment information, and more.

Knowledge is power: The uncertainty of our times, along with social media amplification, means that we are living in world where there is a constant flow of dramatic and sticky news. When you are contacted about something that you’ve just recently heard about or something that seems to be very connected to something you care about, be aware that the Availability Trap could hijack your decision-making.

Information security tip: If you’re unsure a phone call is legitimate, hang up and try contacting the organization directly using their official phone number or website. Better yet, don't answer calls from unknown sources.

7 additional tips for making good decisions and thwarting the cybercrooks

1. Beware of links and attachments

If you are asked to click a link —or worse, to open an attachment— be wary. Always check the email address or the web address of the sender. These often look like real companies on the surface but have odd prefixes or suffixes that do not add up. If things look at all illegitimate, do not proceed and do not click the link. Also, watch for subtly mismatched email addresses or links, such as name@Wh0.org instead of name@who.org.

2. Beware of geeks bearing gifts

Be suspicious any time you are contacted by an unfamiliar individual or agency offering you an improbable gift or to help you avoid a potential problem related to your finances, business, or personal life. These messages sound plausible at first glance but digging a bit deeper can reveal other telltale signs of malicious intent. This includes:

Urgent or threatening language. For example, they may threaten you by indicating that your software is out of date or your warranty is about to expire, or, a supposed text message from your bank may say your account has been blocked and you need to verify your identity using the link.
Spelling & grammatical errors
Broad language (“Hello Sir or Madam”)
Too-good-to-be-true promises
Requests for confidential information
Unexpected emails (an email from “Amazon” about an order you didn’t place)
Suspicious attachments
A surprising amount of personal information
(Cybercrooks can gather a lot from social media and from your publicly available profiles.)

3. Put up a shield

4. Do not reply

5. Ask a friend

6. Get smart

7. Use the power of the pause

We live in a world where a strong premium is placed on responding immediately to requests. If there is one tip we can offer that stands above all others, it is: Insert a brief pause before reacting to messages and requests.

A brief, reflective pause is a powerful antidote to many of the mental shortcuts and decision traps we have described. The world can wait a few minutes, and that brief pause may save you countless hours and much distress later.

We don’t know if a brief pause would have allowed Brent’s mother to recognize and avoid her phishing attack, but it very well might have.

Conclusion

A good social engineer knows how to take advantage of the way people think and make decisions, and some of the bad guys are skilled social engineers. Getting hacked has major implications both for ourselves personally and for our organizations. In addition, recovering from being phished via email or vished by phone can be a huge drain of your mental and emotional energy.

While we don’t want to become cynical and paranoid, we also don’t want to unwittingly fall prey to cyberattacks that can easily be avoided with a better understanding. It’s important to take steps to protect ourselves by getting smart about how hackers turn our simple decision-making shortcuts against us.

The tips listed here can protect you and your organization from damage to your finances or your reputation, and can help you avoid difficult disruptions to your life and business.

Special guest author Candice Carter is an information security expert at Novavax. She suggested this topic after attending a Decision Mojo™ session and recognizing that what Brent was teaching about decision-making was applicable in the cybersecurity world.

Diagnose a decision

Could you be falling into one or more common decision-making traps? Take a complimentary Decision Mojo™ Decision Diagnostic to find out!

Evaluate a pending decision for traps!

Author
Recent Posts

Brent Snow and Sean Murray

As founder, driving force and chief instigator at 10,000 Feet, Brent Snow brings a singular ability to understand and translate an individual or organizational learning need into imaginative and elegant learning solution including the popular Interplay, Decision Mojo and The Inclusive Leader learning experiences. Based on the West Coast, Sean Murray is a passionate facilitator and skilled account manager. Sean works with 10,000 Feet’s clients to identify and deliver learning solutions that address strategic business needs.

Latest posts by Brent Snow and Sean Murray (see all)

3 decision-making lessons from ‘A Christmas Carol’ - December 19, 2023
8 ways to use generative AI to improve decision-making - December 4, 2023
The NBA’s 3-point shot provides a cautionary tale for leaders navigating disruptive innovation - May 30, 2023

Posted in Articles and tagged current, decision mojo, decision traps, decision-making