When our neighbour knocked on our door one evening, with his laptop tucked under his arm, we knew something was up. He had been scammed by a phishing email, and he said something that made me feel so angry and sad.
Presenting at a conference recently, I heard the same thing from a high-flying professional who shared how she had been victim of a phishing email.
And, word for word, the exact same sentence was shared by a woman in a recent social engineering awareness session we delivered.
I’ve heard the same four words from so many different victims of phishing emails - and it still makes my heart sink every time.
You know what those four words are?
“I feel so stupid”
In this blog post I'm going to cover a topic that's been a theme of my work for over a decade. I often speak about it in keynote presentations, and it's the foundation of my call for more empathy and compassion in cyber security.
But right now, you're probably wondering what happened with the people I mention above, so let me give you a quick run-down.
Our neighbour was a victim of what Microsoft call the classic cold-call scam. He received a phonecall from a man who sounded very persuasive and professional, claiming to be from Microsoft tech support. He was told that his Microsoft account had been hacked. He could hear background noise that sounded like a call-centre and he was passed to another of the caller's colleagues to "fix" the problem, with hold music playing while he was transferred.
All of this pretexting meant that our neighbour didn't question whether the call was legitimate. He was too busy panicking that his account had been hacked. Throughout the course of this phishing call, our neighbour shared his password with the scammers, he shared his credit card details to pay the "security fee" and followed their instructions to give them remote access to his machine.
Only when they asked for a copy of his driver's licence did he realise that something was amiss. He hung up and came straight to see us, the friendly neighbourhood cyber security professionals 💜
We scanned his machine and wiped it while he called his bank and Action Fraud - and changed his password. Our neighbour is pretty savvy, and has often picked our brains about security, so he had offline backups and didn't lose any data.
Thankfully, the tangible impact of this scam was easy to fix. The lasting impact, however, was that he (in his words) felt stupid. He felt that he should have known better and he felt ashamed, especially because he is pretty savvy.
The high-flying professional at a recent conference felt the same. She described receiving an email at work from a family member's healthcare provider. They had recently had some medical tests and the email had the test results attached.
She opened the attachment, but it was blank. She called the healthcare provider and they said:
"Oh no, don't open attachments from us - we've been hacked"
Despite the fact that the healthcare providers hadn't told her they had been hacked, she felt that she was to blame. She described feeling embarrassed that she had opened the attachment, even though she was expecting it and it was from the genuine email address of an organisation she knew and trusted.
Granted, it's not best practice to use your work email address for a personal matter. But this incident left her feeing ashamed, undermined and questioning her judgement.
It is common for victims of phishing to feel that they can no longer trust themselves, as this BBC article highlights.
This is exactly what the woman in a recent social engineering awareness session described. She actually said she felt like a fraud for being there - almost like she didn't deserve the chance to learn and develop - because she had clicked on a link that caused an incident at her previous employer.
She shared with me that:
“Now just the mention of cyber security fills me with dread”
In all of the three cases above - and the many other times I have heard those four words that make my heart sink - I have reminded the victims that being scammed does not make them stupid, it simply makes them human.
When we are manipulated by cyber criminals using social engineering, we are often going up against professional scammers. They do this kind of thing day-in, day-out. They learn what works and what doesn't. They are experts.
There is no shame in being a victim of social engineering.
As I always say: the right phish at the wrong time can catch anyone.
As cyber security professionals, we need to address the emotional impact of phishing. This is important not just in terms of real phishing campaigns, but also phishing simulations, which I talk about in more detail here.
And yet, the human impact is so-often overlooked in practice.
Some academic researchers have been highlighting this issue for a while.
For example, researchers suggest that identity theft victims experience emotional and physical problems even six months after the crime.
When it comes to romance scams, many victims describe the loss of the (fraudulent) relationship as being more damaging than the financial loss. Research here suggests that some experience post-traumatic stress and most will experience damaged self-esteem and reduced self-worth.
I believe all of this is connected to the lazy narrative that people are the "weakest link". That if someone clicks on a link in a phishing simulation more than once they are a "repeat offender".
The more we victim blame, the more people attach a sense of shame to becoming a victim.
The more people feel ashamed, the less they will engage with us.
The less they engage with us, the less they know about cyber security and the less likely that they will practice secure behaviours.
We need to start building a truly people-centric approach.
If you would like to know more about how we at Cygenta work with clients to build a positive and proactive cyber security culture, check this out.
And don't forget to subscribe to our mailing list to be the first to hear our news and insights.