Both technological and human defensives are necessary in preserving computer security. A company can have a level of security like Fort Knox, but if the user still clicks and opens the door, the bad guys may steal all the gold. This excellent article by Network World shares baiting tactics employed that cause users to compromise security.  I would also add “Curiosity” as a 5th common attack theme, where false news articles are used to get users to click on an infected item.

While technological know-how certainly plays a large role in enabling attackers to hack any given system, corporation or individual, what often is overlooked is that some tricks of the trade, like social engineering, are also psychological games. That means that protecting and defending against these kinds of attacks is, in turn, part mental as well.

It’s important for IT professionals to understand the ways in which social engineers take advantage of human emotion in order to carry out their attacks. Let’s examine the four human emotions and behaviors hackers most commonly exploit as part of a social engineering campaign, the distinct campaign characteristics for each manipulated emotion, and some key considerations for better positioning your employees and your organization against falling prey to these types of attacks in the future.

1. Fear — Defined as an unpleasant emotion caused by the belief that someone or something is dangerous, likely to cause pain or a threat.  As one of our most powerful motivators, fear is arguably the most commonly manipulated emotion when it comes to social engineering campaigns. These attacks can come in the form of a phony email that your online bank account has been compromised.  It forces users to act quickly to avoid or rectify a dangerous or painful situation.

2. Obedience — Defined as complying with an order, request or law or submission to another’s authority. Social engineering scams that prey on obedience are often disguised as an email, instant message or even a phone call or voicemail from a person or group of superior authority, such as law enforcement or an executive at one’s company.

3. Greed — Defined as an intense and selfish desire for something, especially wealth or power. In the case of greed-exploitative campaigns, these routinely offer a reward – usually monetary – for performing a specific action.

4. Helpfulness — Defined as a willingness to help other people. These campaigns are often targeted at customer support or customer service departments, as attackers are betting these employees’ propensity to lend a hand and keep people happy will encourage them to divulge or accept more information than they should.

It’s not only important that IT and security leaders understand hackers’ evolving tactics, but that they also continuously adjust policies and share their knowledge by educating their colleagues and training them to be vigilant against nefarious activity. For example, employees need to be taught to take a step back when they receive, say, a suspicious email or instant message and consider the emotion the vehicle for an attack is eliciting and how that might help indicate foul play. While it may be obvious to you as an IT professional that an unexpected email that provokes an urgent emotional or behavioral response – such as fear, obedience, greed or helpfulness – is an automatic red flag, the average employee likely does not.