Security & Fraud

Why ‘Virtually Any Person’ Can Fall Victim To Malicious Links

Victims of malicious links

Though it seems like an easy thing to avoid, not clicking on bad links sent by cybercriminals may be harder than you think.

According to security researchers, human factors can lead most people into clicking on a dangerous link.

Zinaida Benenson, who heads the human factors in security and privacy group at the University of Erlangen-Nuremberg’s IT Security Infrastructures Lab in Germany, believes that, despite security awareness, anyone can be tricked into falling for these malicious schemes.

During a talk at the Black Hat conference this week, Benenson told attendees that, even with the right training, it is still “highly unrealistic” to think a person can avoid clicking on a malicious link at some point.

“By a careful design and timing of the message, it should be possible to make virtually any person … click on a link, as any person will be curious about something, or interested in some topic or find themselves in a life situation that fits the message content and context,” Benenson told ZDNet.

According to Benenson’s research, two factors can often lead people to making mistakes: context and curiosity.

“We show that curiosity and context of the attack play the most important role in the unsafe decision-making of the users, thus making thwarting skillful attackers a difficult task,” the research explained.

There are certain human traits, Benenson said, that “cannot be patched” because they will forever be exploitable by criminals and, therefore, are inherit vulnerabilities.

The FBI recently pinpointed what reports call “ground zero” for fake supplier emails and invoices requesting firms to wire funds.

According to reports published last month, Hong Kong is the epicenter of these business email scams, with fraudsters already nabbing (or attempting to steal) $3.1 billion from unsuspecting companies. Cyberthieves email a company, generally in the U.S. or Europe, that already has relationships with suppliers or brokers in Hong Kong. The email requests a wire transfer for goods or services, with a convincing enough note to not raise suspicion, and then, payment is made.

The FBI has dubbed the Business Email Compromise a “super swindle” due to the value of money already stolen through the scam. According to authorities, there has been a 1,300 percent increase in losses since Jan. 2015. Businesses across 100 countries have been affected; reports of the scam in 2016 are already up by 270 percent.

Authorities say cybercriminals are becoming more sophisticated with the crime, too, with rising instances of executives at legitimate trading companies having their emails hacked to send the requests for payment.


Featured PYMNTS Study:

More than 63 percent of merchant service providers (MSPs) want to overhaul their core payment processing systems so they can up their value-added services (VAS) game. It’s tough, though, since many of these systems date back to the pre-digital era. In the January 2020 Optimizing Merchant Services Playbook, PYMNTS unpacks what 200 MSPs say is key to delivering the VAS agenda that is critical to their success.

Click to comment