9 Cognitive Biases Hackers Exploit During Social Engineering Attacks

Cybersecurity is not just a technological challenge but increasingly a social and behavioral one. No matter their tech savviness, people are often duped by social engineering scams, like CEO fraud, because of their familiarity and immediacy factors.

Bad actors have the know-how to tap into the “mental shortcuts” called cognitive biases and manipulate employees into compromising sensitive information or systems. Here are the top cognitive biases hackers use the most:

1. Hyperbolic Discounting: Choosing immediate rewards over rewards that come later.
   Example: Free coupon or special deal scams
2. Habit: The tendency of users to follow recurring habits. 
   Example: Phishing emails delivered at a specific time of day
3. Recency Effect: Remembering the most recently presented information or events best.
   Example: Phishing attacks referencing current events
4. Halo Effect: When positive impressions of a person, company, etc., influence your overall feeling of that person or company.
   Example: Scam messages from well-known brands
5. Loss Aversion: The tendency to prefer avoiding losses to acquiring equivalent gains.
   Example: Phishing attacks threatening credit score damage
6. Ostrich Effect: Avoiding unpleasant information (hiding your head in the sand).
   Example: Phishing emails warning action should be taken quickly, or else
7. Authority Bias: Attributing greater accuracy to the opinion of an authoritative figure.
   Example: Hackers spoofing important messages from the CEO
8. Optimism Bias: Overestimating the probability of positive events while underestimating the probability of adverse events.
   Example: Phishing emails will offer fake job opportunities or insider information
9. Curiosity Effect: Acting to resolve curiosity even if it could lead to negative consequences.
   Example: Phishing attacks offering limited-time offers or secret information

A comprehensive security awareness training program can help employees understand these behaviors and spot social engineering attacks. Contact us to learn more.

Information used in this article was provided by our partners at KnowBe4.