“Please respond ASAP.”
When CFO Joe receives an email from CEO Taylor with this urgent subject line, he goes into high alert. The message is pressing. The email’s sender, Joe’s superior, and its language engage his instinct to respond to authority and deadlines. Without thinking, Joe completes a payment at her request.
Only, the message from “Taylor” was not sent by the CEO herself, but from a malicious actor who compromised her email account and set up a fake invoice to a fraudulent account for payment.
This hypothetical business email compromise (BEC) scam illustrates that, however well intentioned, an employee’s automatic urge to respond to emails like Taylor’s presents a significant security risk. Understanding how and why employees respond to such emails is critical when designing more effective BEC training that could have helped Joe identify and flag the fraudulent email.
‘Click, whirr’ responses make humans vulnerable
In his seminal book, Influence: The Psychology of Persuasion, Robert Cialidini described a set of conditioned responses and fixed action patterns as “click, whirr” behavior. This refers to responses so ingrained and reflexive in humans that they are done almost without thinking.
These automatic responses are either critical to survival, such as steering a vehicle away from an unexpected pedestrian, or provide a mental shortcut to reduce the overhead of decision-making, as in expecting an expensive bottle of wine to have a better flavor than a cheaper one.
While conditioned responses in humans can affect our menu choices and potentially even save lives on the road, they can also make us vulnerable. In fact, cybercriminals commonly weaponize this conditioning and use it against us in BEC scams.
How BEC scams exploit human psychology
There are many technical controls to help thwart BEC attacks, but humans and security awareness training are at the root of the solution. To build effective BEC training and prevention programs, it is critical to explore what triggers automatic responses in humans — and how BEC scams are designed to capitalize on them.
Response to scarcity
One trigger that kicks off our click, whirr response is scarcity of a resource or limited time. Most people have been exposed to advertising messages such as “Supplies are limited, act now!” In most cases, the message has nothing to do with how much supply is available. The seller is simply trying to engage our scarcity trigger so the product will seem more desirable and worthy of purchase.
Similarly, BEC attempts commonly include urgent language such as “Invoice past due” or “Time sensitive: Action required.” These messages also activate our scarcity response. BEC attackers understand that employees are conditioned to take overdue invoices seriously and respond to them quickly.
Response to authority
Another effective automatic response trigger is the power of authority. People are more likely to act when directed to by an authority figure. BEC is so successful because the criminals know who to emulate as a sender to get a rapid result. When Joe, the CFO, gets an email from Taylor, the CEO, asking for a large fee transfer, Joe is conditioned to comply with the request because of Taylor’s authority.
Sophisticated BEC attempts will look and sound as if they came from the actual sender. Thus, directing users to simply check the sender’s address or to look for typos or grammar mistakes isn’t enough. To be truly effective, BEC training needs to help users recognize when they are in click, whirr mode and prompt them to pause to consider the request.
Typically, a message such as “Urgent, please pay this now!” from Taylor’s email would prompt Joe to act fast. But, if he takes a moment to think about this request, he can combat the immediate click, whirr response to comply with Taylor’s transfer request. Then, he can cross-reference his records to determine if any payments are outstanding and text Taylor to confirm whether the payment request is legitimate.
Design BEC training with psychology in mind
It is important for IT leaders to understand that BEC training is not a one-and-done activity. Psychological research on how humans learn shows it’s easy to forget what is learned if it’s not consistently reinforced. Thus, many experts recommend training and practice on a quarterly or bimonthly basis.
Since BEC exploits begin with a phishing email, BEC training is usually part of antiphishing campaigns. These should include periodic videos that not only remind employees what BEC scams look like, but are also designed to be entertaining for employees. Campaigns may also involve BEC phishing tests launched against employees by the security department. When users engage with fake phishing emails by clicking links or responding, they receive a warning to notify them that they were duped. This feedback is designed to improve user behavior and, when combined with training, provides insight about BEC training efficacy.
Psychological research also shows the adrenal hormones released during an emotional arousal — epinephrine and corticosterone — also regulate long-term memory. This can be applied to BEC training during which users may experience an emotional response in the immediate aftermath of a bad click notification. This is an ideal time to reeducate users and help them remember how important it is to interrupt their click, whirr before responding to emails.
It is vital to avoid shaming users during BEC training. It is easy for well-intentioned employees to make mistakes when trying to be the most efficient workers possible. Incorporating empathy into employee development and culture will be critical to the success of the lesson. User training should be about learning, not punishment.
What to do when mistakes happen
No one is perfect. Even well-trained users and executives may click a malicious link or initiate an authorized funds transfer, which is why training users on what to do next matters.
If possible, set up a reporting portal, email or hotline for users who think they may have fallen for a BEC scam. Timely disclosure is important from both a security and business perspective. If the user is able to report a suspicious payment quickly, there may be time to cancel the transfer before it is completed.
Organizations hit by successful BEC scams should report them to the authorities and file a complaint with the FBI’s Internet Crime Complaint Center to help law enforcement catch the criminals.