Hacking Humans 6.20.19
Ep 54 | 6.20.19

The knowledge / intention behavior gap.

Transcript

Perry Carpenter: [00:00:00] Behavior happens when three things come together - motivation, ability and a prompt to do the behavior.

Dave Bittner: [00:00:08] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:25] Hi, Dave.

Dave Bittner: [00:00:26] We've got some interesting stories to share this week. And later in the show, we've got my interview with Perry Carpenter. Perry is the author of the new book "Transformational Security Awareness: What Neuroscientists, Storytellers and Marketers can Teach us About Driving Secure Behaviors."

Dave Bittner: [00:00:41] But first, a word from our sponsors, KnowBe4. So who's got the advantage in cybersecurity, the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us, and we'll have some insights from our sponsor KnowBe4 that puts it all into perspective.

Dave Bittner: [00:01:08] And we are back. Joe, why don't you kick things off for us this week?

Joe Carrigan: [00:01:12] Dave, we got a good one for us this week. And by that, I mean this is absolutely terrible.

Dave Bittner: [00:01:15] (Laughter) OK.

Joe Carrigan: [00:01:16] This is an interesting story. It comes from Ian Sigalow, who is the founder of Greycroft venture capital. And he was tweeting about this recently. He tweeted, my day - impersonator took info from our website, posted fake jobs on Indeed, ZipRecruiter and LinkedIn, interviewed candidates on Google Hangout (ph), sent fake job offers on fake letterhead, asked for a blank check to set up payroll. And we learned about it once the victims started calling us.

Dave Bittner: [00:01:48] Wow.

Joe Carrigan: [00:01:48] So this is a scam where they're setting up all these fake job postings on these different sites. Then they're interviewing people on Google Hangouts. So that's got to be some kind of face-to-face interview, right?

Dave Bittner: [00:01:57] Right. Right.

Joe Carrigan: [00:01:58] And then they're asking for a blank check. And somebody asks, what do they do with the blank checks? And Ian says that they're writing in numbers, forging a signature and cashing the checks.

Dave Bittner: [00:02:07] For lots of money.

Joe Carrigan: [00:02:08] For lots of money - thousands of dollars.

Dave Bittner: [00:02:11] Yeah, there's a lot going on here.

Joe Carrigan: [00:02:12] Yeah.

Dave Bittner: [00:02:13] I mean, it's ultimately a check fraud, a...

Joe Carrigan: [00:02:15] It is...

Dave Bittner: [00:02:15] ...Check-cashing fraud.

Joe Carrigan: [00:02:16] ...A check-cashing fraud.

Dave Bittner: [00:02:18] But think about all the steps that goes through this. So there's lots of victims here.

Joe Carrigan: [00:02:23] Right.

Dave Bittner: [00:02:23] So let's say I'm one of the people who applied for this nonexistent job.

Joe Carrigan: [00:02:27] Right.

Dave Bittner: [00:02:27] No. 1, I'm out the money from my bank account because they've got my check.

Joe Carrigan: [00:02:30] Sure.

Dave Bittner: [00:02:30] No. 2, chances are I've accepted this job, which means I've turned in my resignation at my old job.

Joe Carrigan: [00:02:36] Right. You've turned in your two weeks' notice.

Dave Bittner: [00:02:39] Yeah.

Joe Carrigan: [00:02:40] You may have done so with (laughter), screw you guys. I'm out of here.

Dave Bittner: [00:02:46] (Laughter) Well, there's a cautionary tale there, I suppose...

Joe Carrigan: [00:02:48] Right. Yeah.

Dave Bittner: [00:02:49] ...About burning bridges and so forth.

Joe Carrigan: [00:02:50] Don't burn bridges.

Dave Bittner: [00:02:50] So Ian's company has to deal with the fallout from this as well.

Joe Carrigan: [00:02:55] Right. Although, I don't know what the culpability of Ian's company is. I mean, people are just going to be angry at his company, but his company didn't do anything wrong here.

Dave Bittner: [00:03:02] Yeah. I could see there being...

Joe Carrigan: [00:03:04] Somebody impersonated his company.

Dave Bittner: [00:03:04] Yeah, yeah.

Joe Carrigan: [00:03:04] He's kind of another victim in this whole scam.

Dave Bittner: [00:03:07] Right. Right. But I could see there being reputational damage.

Joe Carrigan: [00:03:10] Oh, absolutely there's reputational damage.

Dave Bittner: [00:03:11] And just the time that they have to take to deal with this situation. They have people calling and saying, hey, you know, what time do you want me to start on Monday?

Joe Carrigan: [00:03:20] Right.

Dave Bittner: [00:03:21] (Laughter) Or whatever.

Joe Carrigan: [00:03:22] Hey, did your HR person cash my check that I gave them?

Dave Bittner: [00:03:26] Right.

Joe Carrigan: [00:03:26] Couple of things about this. Ian said in one of the replies that the job boards don't use any verification system to check that a person posting the job is actually affiliated with the company. There's nothing like that going on. So you have to be extra vigilant out there and look for these kind of things somehow. Rob Tarrant (ph) made a comment about this, and a couple other people made comments about this - that whenever you submit a blank check to a payroll company, what you should do is you should void that check.

Dave Bittner: [00:03:51] Right.

Joe Carrigan: [00:03:51] Just write across it in big letters V-O-I-D. No bank will cash that check ever.

Dave Bittner: [00:03:56] Right, but they still have all the information from the check, so they could.

Joe Carrigan: [00:03:59] They do. That doesn't - and that's one of the things that Rob Tarrant says.

Dave Bittner: [00:04:01] Yeah.

Joe Carrigan: [00:04:01] It says ACH fraud is still a real risk. In other words...

Dave Bittner: [00:04:04] 'Cause anybody can print a check.

Joe Carrigan: [00:04:05] Right.

Dave Bittner: [00:04:05] You can go to the office supply store and buy check-printing paper.

Joe Carrigan: [00:04:09] Right, or they can just transfer the money through a wire transfer.

Dave Bittner: [00:04:12] I mean, this makes me think about threat intelligence. If I'm the company, do I want to engage with someone to be out there crawling around, looking for mentions of my company?

Joe Carrigan: [00:04:22] There are companies that provide that service.

Dave Bittner: [00:04:24] Yeah. I mean, it's like - ZeroFOX I'm thinking of.

Joe Carrigan: [00:04:25] ZeroFOX, exactly. Right.

Dave Bittner: [00:04:26] They do that. But I wonder about other - obviously, threat intel - I mean, you know, I'm a fan of Recorded Future since I host their podcast.

Joe Carrigan: [00:04:33] Right.

Dave Bittner: [00:04:33] But is that the sort of thing that an engagement with a threat-intelligence company would be out on the lookout for as well? I suspect it could be.

Joe Carrigan: [00:04:41] I don't know.

Dave Bittner: [00:04:42] Yeah.

Joe Carrigan: [00:04:43] That would be a good question for Recorded Future.

Dave Bittner: [00:04:45] If only I knew someone there. I'll ask (laughter).

Joe Carrigan: [00:04:47] You should ask them that. And I'll ask somebody over at ZeroFOX to...

Dave Bittner: [00:04:50] Yeah.

Joe Carrigan: [00:04:50] ...See if they scan the job boards as well.

Dave Bittner: [00:04:51] Right, so we've given ourselves homework.

Joe Carrigan: [00:04:53] Right (laughter).

Dave Bittner: [00:04:53] Yeah. This is not one that I've heard of before. I have to say I'm surprised at the amount of effort that's going into this fraud.

Joe Carrigan: [00:05:01] And the basic simplicity of the actual crime - it's just an old check-cashing - you know, like, I've stolen checks from somebody, and now I'm going to write them.

Dave Bittner: [00:05:08] Yeah, but the way that they're getting checks...

Joe Carrigan: [00:05:11] Right.

Dave Bittner: [00:05:11] ....And...

Joe Carrigan: [00:05:12] That's a long way to go to get a check.

Dave Bittner: [00:05:14] Well, I wonder also are they - is it more likely - you're hiring people in the IT field. Is it more likely that those bank accounts are going to have substantial sums in them...

Joe Carrigan: [00:05:25] Right.

Dave Bittner: [00:05:25] ...Which makes it more worthwhile to take the time to go after...

Joe Carrigan: [00:05:30] It might be the case.

Dave Bittner: [00:05:30] ...A particular - is there - how much targeting is going on here with this?

Joe Carrigan: [00:05:33] I don't know. It's a good question.

Dave Bittner: [00:05:35] Yeah.

Joe Carrigan: [00:05:36] I mean...

Dave Bittner: [00:05:36] That's plausible.

Joe Carrigan: [00:05:37] I guarantee you the Secret Service is going to be involved in this if this is all going on in the U.S., which I kind of suspect that it is.

Dave Bittner: [00:05:42] Yeah.

Joe Carrigan: [00:05:42] But the people that actually went to the banks and cashed the checks are just mules. They're not the people behind things.

Dave Bittner: [00:05:48] Right.

Joe Carrigan: [00:05:48] They are people whose job it is to go to a bank, cash the check and when they get arrested, go, I don't know anybody.

Dave Bittner: [00:05:54] All right, no happy endings yet on that one.

Joe Carrigan: [00:05:56] No, not yet.

Dave Bittner: [00:05:56] But it's certainly - it's one to be aware of from your company point of view to be checking out these recruiting sites and making sure that nobody's pretending to be you. Thanks to Ian Sigalow for sharing that information on Twitter.

Joe Carrigan: [00:06:09] Yeah, sorry this happened to you and all those other people. That's terrible.

Dave Bittner: [00:06:11] Yeah. My story this week comes from a listener. It's actually sort of a two-part thing. He wrote in - it's a listener named Dan, who wrote us with two things to say. First of all, he wanted to thank us for the show. He says it's out there. It's helping people. He said, I totally got phished by the company I work for. He says, I signed up for periodic phishing attempts to test my skills. And sure enough, they got me. I had just submitted for vacation time. And I got an email a day or two later saying my vacation time was moved, so, of course, I clicked the link, logged in with my credentials and was met with a website that said, don't panic. You've been phished (laughter). It said if this were real, here are the resources to be better prepared. He says, needless to say, I felt stupid. I should have known better and let my guard down. But that's all it takes. Here's a good part. He says, good thing is I'm in charge of an informational slideshow that plays in our break area. He says, I screenshot all the pages it took me to and created a presentation outlining all the places I went wrong and what I should have done instead. Hopefully, someone got some good out of it.

Joe Carrigan: [00:07:11] I think someone did, Dan. That's great that you're sharing your experience.

Dave Bittner: [00:07:13] So hats off to you, Dan, for that.

Joe Carrigan: [00:07:15] And, Dan, one other thing - don't feel stupid. This is not something that is an indicator of your intelligence.

Dave Bittner: [00:07:20] Yeah, you're human (laughter).

Joe Carrigan: [00:07:21] Right, you're human, exactly - good news (laughter).

Dave Bittner: [00:07:23] Yeah. Well, the good thing is it won't happen to him again.

Joe Carrigan: [00:07:26] Right.

Dave Bittner: [00:07:26] This particular scam's not going to happen to him again. I suspect his radar is going to be up on all fronts (laughter).

Joe Carrigan: [00:07:30] Right.

Dave Bittner: [00:07:31] So the second part of what Dan wrote in - he said, second - YubiKeys. I want one. He says, no wait - two. But I'm iOS-centric, pretty much 100%. And when iOS 13 rolls around, I don't see myself turning back to traditional computing. So it sounds like he's all in on something like an iPad - something like that. He says, as far as I can tell, iOS doesn't play well with YubiKeys. My question to you is this. What's the difference between using my device and an app, like Google Auth or 1Password OTP, versus a YubiKey? He says, they're both physical security that only I have. One could even argue that my device is safer than a YubiKey since it's locked to my biometrics. And he wanted our thoughts on the matter. Well, a couple of things - first of all, there is a lightning version of YubiKey coming. YubiKey has announced it. It's coming out sometime this year. There's a developer program for it, so they're testing it. So there will be a YubiKey that plays nice with iOS devices. That will be an option for you. In terms of an app versus the security key - what are your thoughts on this initially, Joe?

Joe Carrigan: [00:08:35] The thing about those apps with, like, a one-time password and anything that generates a code, even the physical tokens of generated code, those can be socially engineered out of you. For example, if you're going to a website and I have a scam website set up that is asking for your username and password and I ask you for your one-time password or the number that comes up on your hid thing or your RSA token, I can pass that straight to the site. And that will be valid. That is not possible with a YubiKey. It doesn't work that way with YubiKey. So, yes, those devices are very secure for two-factor authentication. And they are on the more secure end of the spectrum. Generally, I say that there are four different kinds of this two-factor thing that you think of in terms of some kind of validation, right? There is also knowledge-based, which I don't really consider. But you have an SMS message, which is the least secure - right? - because that's a lot easier to compromise.

Dave Bittner: [00:09:24] Right.

Joe Carrigan: [00:09:24] Then you have the soft token on your device. Then you have the hard token - the physical token - that's only moderately more secure than the soft token because the...

Dave Bittner: [00:09:32] Right.

Joe Carrigan: [00:09:32] ...Cryptography behind both of them is pretty much the same. The difference is that the thing that cedes the hard token is never exposed anywhere, whereas the software one - you generally have to see a barcode somewhere. In fact, we talked about this a couple weeks ago with the two-factor authentication.

Dave Bittner: [00:09:48] Right. Well, that's what prompted his letter.

Joe Carrigan: [00:09:50] Right. OK.

Dave Bittner: [00:09:50] And I went back, and I looked at the Google blog post on this.

Joe Carrigan: [00:09:53] Right.

Dave Bittner: [00:09:54] And what they said was according to their data, the security key - the YubiKey-type device was 100% effective all the time.

Joe Carrigan: [00:10:02] Yup.

Dave Bittner: [00:10:03] Automated bots, bulk phishing attacks, targeted attacks - 100%. The on-device prompt - so the software-based thing...

Joe Carrigan: [00:10:09] Right.

Dave Bittner: [00:10:09] ...That he's asking about - 100% for automated bots, 99% for bulk phishing attacks, between 90 and 95% for targeted attacks.

Joe Carrigan: [00:10:20] Which is still pretty good.

Dave Bittner: [00:10:21] Two ways to come at this - if my preference was to use the on-device - the code kind of thing, the...

Joe Carrigan: [00:10:27] Right.

Dave Bittner: [00:10:27] ...Software thing, I'd still feel pretty safe...

Joe Carrigan: [00:10:30] Yeah.

Dave Bittner: [00:10:30] ...Knowing that I had that.

Joe Carrigan: [00:10:31] There is more risk.

Dave Bittner: [00:10:32] Yeah.

Joe Carrigan: [00:10:32] But you have to decide, Dan, if this is the kind of risk that you want to incur. And if it is, then you're OK, right?

Dave Bittner: [00:10:38] Yeah. Yeah, and...

Joe Carrigan: [00:10:39] And it's a risk that you're accepting.

Dave Bittner: [00:10:41] Right. Do you want to use that for most of the stuff you use. But then, say, for your bank account, that's where you're using the YubiKey...

Joe Carrigan: [00:10:48] Right.

Dave Bittner: [00:10:48] ...Because it's 100%. So you have to sort of establish your own risk profile...

Joe Carrigan: [00:10:52] Yes.

Dave Bittner: [00:10:53] ...What you're willing to risk.

Joe Carrigan: [00:10:54] Exactly.

Dave Bittner: [00:10:55] All right. Well, thanks, Dan, for writing in. We do appreciate it. It is time to move on to our Catch of the Day.

0:11:02:(SOUNDBITE OF REELING IN FISHING LINE)

Dave Bittner: [00:11:05] Joe, our Catch of the Day comes in from a listener. And this is familiar and yet not one that we've read before. So here it goes. It goes like this. (Reading) Dear sir, I am sending you this private email to make a passionate appeal to you for assistance. Kindly accept my apology for contacting you this way, and forgive me if this is not acceptable to you. My name is Jackie Johnson, the son of late Dr. Samuel Obiogwu (ph), who died on November 15, 2003. I was actually born out of wedlock, and my father never married my mother. I grew up in an orphanage home. I never knew my mother, who I understand abandoned me with the owner of the orphanage home. I guess that accounts to why I do not bear my father's name officially. I am still a student of University of Lagos, and I want you to help me in receiving my late father's money in your account as his next of kin.

Dave Bittner: [00:11:54] I am contacting you because of my need to deal with persons who I have had no previous personal relationship. The woman, my stepmother, chased me out of the family house after the burial of my father in December. My stepmother and her children have never hidden their hatred of me, as my father never told them of my existence until the day I appeared at his front door. I am now contacting you because of the good news I have received from my father's lawyer today. He informed me that three days before my father's death, my father visited his office and informed him that he just deposited the sum of U.S. dollars $29.5 million with a financial institution Forum Savings and Loans Bank and would want that detail to be added to his already-written will.

Dave Bittner: [00:12:35] The lawyer was yet to have this added when my father suddenly died. He said he has made inquiries and is convinced that my stepmother and children do not know of the existence of that money. He said he was giving me this information because of his sympathy to my cross. I have since been to the bank and have confirmed that the money actually exist. I made inquiries on how I could get the money released to me. And one has informed that I should go and process a letter of administration from the appropriate probate registry. I have decided not to do it in my name. I am just 23 years old, and my stepmother and her children will be suspicious of my sudden wealth. They could kill me for the money if they ever found out. I therefore want you to assist me to process it in your name. Once this money is transferred into your account, I will like you to send 10% to my father's lawyer as a gift from me for assisting me with the information. Take 30% for yourself and help me invest the balance in a profitable business in your country. As you receive this mail, you can send your response to my address, if you cannot call right away. I will be waiting for your response - Jackie Johnson.

Dave Bittner: [00:13:36] Well, Joe, we have an opportunity here to help an orphan.

Joe Carrigan: [00:13:38] Right. Right. So you know where Lagos is, Dave.

Dave Bittner: [00:13:41] I do not.

Joe Carrigan: [00:13:41] It is in Nigeria.

Dave Bittner: [00:13:43] Of course, it is.

Joe Carrigan: [00:13:43] It's a city in Nigeria.

Dave Bittner: [00:13:44] Of course, it is.

Joe Carrigan: [00:13:45] So another Nigerian prince kind of scam. But this is the Nigerian orphan scam. Interesting. I like how this scam is crafted. It's actually very well-worded. The English is pretty good.

Dave Bittner: [00:13:55] That's true. It is remarkably well-written.

Joe Carrigan: [00:13:57] Right. It is highly implausible that an orphan would be left $29.5 million U.S. dollars.

Dave Bittner: [00:14:02] Yeah.

Joe Carrigan: [00:14:03] It is, however, plausible that if a large sum of money were left to an orphan born out of wedlock to a man, that his stepmother and siblings would try to kill him.

Dave Bittner: [00:14:11] Yeah.

Joe Carrigan: [00:14:11] That makes it seem more believable.

Dave Bittner: [00:14:12] I suppose. There is the element of danger (laughter).

Joe Carrigan: [00:14:15] Yeah, there's an element of danger. At least that's - that's why he needs our help, Dave.

Dave Bittner: [00:14:18] Well, it's a fun one and, again, a variation on something we've seen before, so.

Joe Carrigan: [00:14:24] Right. Now, remember, these scams are so preposterous because they need someone really gullible to fall for them, right? And that's why they write these things to be so implausible to most people. Because the people that do fall for it are the people that are likely to send the money.

Dave Bittner: [00:14:37] That's right. Which I will be doing as soon as we finish recording the show.

Joe Carrigan: [00:14:40] Right (laughter).

Dave Bittner: [00:14:40] So. All right. Coming up next, we've got my interview with Perry Carpenter. He's the author of the book "Transformational Security Awareness: What Neuroscientists, Storytellers and Marketers can Teach us About Driving Secure Behaviors." But first, a word from our sponsors, KnowBe4.

Dave Bittner: [00:14:58] Now let's return to our sponsor's question about the attacker's advantage. Why did the experts think this is so? It's not like a military operation where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a 10.5% failure rate. That sounds pretty good. Who wouldn't want to bat nearly .900? But this isn't baseball. If your technical defenses fail in one out of 10 tries, you're out of luck and out of business. The last line of defense is your human firewall. Test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest.

Dave Bittner: [00:15:58] Joe, I recently had the pleasure of speaking with Perry Carpenter. You and I actually met Perry at the KB4-CON.

Joe Carrigan: [00:16:04] OK.

Dave Bittner: [00:16:05] He works for KnowBe4. This new book that he's got coming out, it's called "Transformational Security Awareness: What Neuroscientists, Storytellers and Marketers can Teach us About Driving Secure Behaviors." Here's my conversation with Perry Carpenter.

Perry Carpenter: [00:16:17] I come down to this idea that I call the knowledge-intention behavior gap, which is - there are lots of things that we know about, but just because I'm aware of something doesn't mean that I care. So there's a gap between knowledge and the intention to act on the knowledge. And even when I'm aware of something and I care about it, I might not actually do that thing. An example of this is, every year, a lot of us go through this practice of making New Year's resolutions. We want to lose weight, get fit, save more money, spend more time with our families, do all these things. We know the benefit of it. We have the intention of it. We may even tell other people that we're going to do that. But most of us drop those within a couple days, if we ever even really try in the first place.

Perry Carpenter: [00:17:03] I think that security behaviors are the same way. People want to do the right thing. They may even think that they can do the right thing. But when the moment comes where that behavior should be displayed, life takes over. And that's where the neuroscience comes in and the behavior design comes in because it is all around the actual doing of the thing that matters. So I get into what I call three different realities of security awareness - just because I'm aware doesn't mean that I care; if we try to work against human nature, we will fail; and what our employees do is way more important than what they know. So behavior design really comes at all of those, and that's where the neuroscience comes in.

Perry Carpenter: [00:17:46] And I dig fairly deep into some research by a Stanford professor named B.J. Fogg that created what is the E equals MC square version of how we should be thinking about behavior. It's really easy to look at. There's a formula there. But when you peel it back, it's got layers upon layers and meaning upon meaning that starts to reveal itself over time. And what he says is behavior happens when three things come together - motivation, ability and a prompt to do the behavior. And so the formula for that is B equals MAP. So if I want somebody to do a behavior, three things have to happen at the same time. They have to have the right motivation to do it. They have to have the right amount of ability to do it. And we actually have to prompt them, or they prompt themselves to do the behavior.

Perry Carpenter: [00:18:41] If any one of those three things is off, then it won't happen. They might have the right amount of motivation and ability, but if we never actually ask them to do it or put them in a situation to do it that they can actually see that they're being asked to do it then it won't happen. They might have a lot of motivation, and we're asking them to do something. But if they don't have the requisite ability to do it then by design it doesn't happen. Or even if they can do it, and we ask them to do it but they just don't care at the time, they don't have the right amount of motivation, they won't do it. So it's all about understanding those different levers and playing with those to try to get somebody in the right context or give them the right tools or training so that they can overcome or put all those things into alignment.

Dave Bittner: [00:19:30] Now, what about the storytellers?

Perry Carpenter: [00:19:31] Storytellers, so that's about capturing attention and embedding ideas. So I go into a concept that I called Trojan horses of the mind, which is all around, if you dissect what a storyteller does, they leverage emotion very intentionally. Because emotion will lodge ideas in somebody's mind. They're very intentional with words, in the way that they use those, in the power that they have and using words that are anchoring and relevant for their audience. And even the way that things like words sound. You know, people that use alliteration, or use different types of pacing, or different volume levels or music in the background. That's all around taking that emotion side so these things bleed together. And then of course, things like visuals. I make the statement that images are like a compression algorithm for the mind. And we can have one little image, like a logo for a well-known brand, and all of a sudden, you see that and all this context about it starts to unpack itself for you. And that's just encoded in one little thing. In the book, I use a picture of a boy that's reading a book about pirates in a battle. And you can see that, and your eye takes it in, and within literally microseconds, you understand everything that's going on. But it takes half a page to a page to actually describe the scene. And so the image is extremely powerful. Everything behind the way that our minds are really trained and built to process information is around these things that we can start to leverage as Trojan horses.

Dave Bittner: [00:21:04] I think about how many of these folks who are out there trying to phish us, you know, they'll use the logos of the brands that we trust.

Perry Carpenter: [00:21:11] Exactly. Because there's already an understood meaning and - you use the word trust level - and association. And so it sails past our common defenses. I've seen some vendors out there and some well-intentioned people that will try to simulate a brand but not actually use it. And there's a cognitive dissonance that happens whenever somebody sends you, let's say, a phish that says Friendbook rather than Facebook. You're like, that may look a little bit like the logo, but there's something off. There's something different about that. I don't know that. So I'm not going to have that knee-jerk reaction that the phisher's after. And so the image is powerful. And when it's consistent and when it's the thing that has the richness of meaning that we've always associated with it because it's a thing that we've seen through repetition over, and over and over again, when that's used well and when that's used intentionally, it crashes past all of our defenses.

Dave Bittner: [00:22:05] Yeah. Isn't that interesting, the way that how often something just doesn't feel right, and you can't always put your finger on it right away but it seems like the bad guys, they find ways to short-circuit that, to overcome that feeling of hesitation that you have?

Perry Carpenter: [00:22:19] Yeah. I think for a lot of them, they might not know the science behind it, but they have an intuition about it because it's what would work on them. And so as they get more and more sophisticated, they start to understand naturally that there are levers around trust that they can use. If you look at the work by Robert Cialdini on influence that I cite in the book as well, he talks about a number of levers of influence that get used, from things like authority, to urgency, to scarcity and so on. And so the marketing world understands all these things implicitly when they're trying to sell us things. And phishers - and even us as security awareness professionals, we're all trying to sell something. We're trying to capture that microsecond of attention and have enough signal to cut through the noise of everyday life that we can embed that hook or that message or that idea and then pull the person forward.

Dave Bittner: [00:23:15] It's fascinating to me just the - you know, the different levels of influence that we all use in our day-to-day lives. And many of them are for good purposes. You want to be a friendly person. You want to be attractive and well thought of to the people who are around you. I think most people, their inclination is to be trusting.

Perry Carpenter: [00:23:34] Yeah. It is. And if I flash back to B.J. Fogg, who I mentioned before, he has a really profound statement. It was put out in a tweet probably close to 10 years ago at this point. And he says humans are lazy, social and creatures of habit. And he was talking about product design. He said, if you're building a product, you have to account for these things. We want to do things the easiest way possible. We want to be seen and liked by others, and there's definitely the social component where we will conform to society's expectations. And then we like to do things the way that we've always done them. When you think about that second one, that's actually directly related to what you mentioned. We're social by nature. And we will either comply, or we will be an outlier. And from a social perspective, when we're an outlier, there's only two things that happen. We're either idolized, or we're ostracized. And most of us are generally going to fall in with the pack and we're going to find ways to be trusted, or we're going to find ways to try to peacock a little bit, hoping that people will start to look up to us because we're different enough. But we don't want the negative side of that.

Dave Bittner: [00:24:45] So beyond some of the things you dig into here in the book about the neuroscientists, the storytellers, the marketing - I mean, part of the book is really focused on some of the practical things that people can do.

Perry Carpenter: [00:24:55] Yeah, absolutely. So one of the things that I really want somebody to be able to take away from this book isn't just all the theory and the fun things that we can dive into and research and geek out on and ultimately try to do some real good for our programs. But I want people to feel like they're empowered to actually get the program going in the first place, and so that means thinking about, how do I gain executive support? How do I put the steps of a program together that are going to take things to the next level and to have maturity? How do I measure things - things that aren't even electronic in nature? Like, how do I measure whether my program against tailgating is being effective or for people to shred documents more often and so on? So all of those ideas are packed in, even to the point of thinking through how I get by and throughout the organization using social influence and using things like - there's a cognitive bias called the Ikea effect, which means that if somebody starts to build something themselves, then they'll start to take ownership. It's almost like what phishers will use, which is the sunk cost fallacy, which is the more time, more investment you put in something, the more you're going to put in that.

Perry Carpenter: [00:26:12] We can actually use what's kind of the good version of that, which is the Ikea effect, which is, if somebody starts to help build something, they'll take ownership of that, as well. So if I have my marketing team or my PR team or product development team within my organization help build a component of my awareness program, well, now they're obviously also going to be an advocate of that. And they're going to be brought in. They're going to evangelize that to their team and say good things about it, rather than feel like it's a waste of time. So the more we can start to leverage those things to our benefit, the better and the better we'll be positioned for success, for buy and, ultimately, sustainability.

Dave Bittner: [00:26:52] All right, Joe. What do you think?

Joe Carrigan: [00:26:53] A lot to unpack there. That's a big interview. The first one I want to touch on is the three laws of security awareness. Just because I know doesn't mean I care. I love that. Working against human nature is a recipe for failure. That is probably the most paramount point of these three, I would say. And what your employees do is more important than what they know. His discussion of B.J. Fogg's work - the behavior equals motivation plus ability plus the prompt - interesting because this is exactly what the scammers do. They're going to find out if you have the ability to do something - usually, give them money. Then they're going to motivate you to give them the money, and then they're going to prompt you for the money. It works both ways. It's just like E equals MC squared works. You know, you can use that to either make nuclear power or melt cities.

Joe Carrigan: [00:27:36] When he starts talking about images, I like how he says, images are a compression algorithm for the mind, or another way of saying that is, a picture is worth a thousand words. When he talks about phishing with images that kind of look like they're not the real images - you know, like Friendbook, he uses as example - when we're actually doing real phishing exercises, legitimate phishing activity, we're still bound by the law, right? So we can't steal someone's copyright information or trademark information to do a phishing test without their permission.

Joe Carrigan: [00:28:02] But I do have something I want to show you here, Dave. I want you to tell me what you're looking at here.

Dave Bittner: [00:28:07] OK.

Joe Carrigan: [00:28:07] Ready? What is that?

Dave Bittner: [00:28:08] Those are Sharpies - Sharpie pens.

Joe Carrigan: [00:28:10] Those are not Sharpie pens.

Dave Bittner: [00:28:12] Yes, they are (laughter).

Joe Carrigan: [00:28:13] Nope. They're not.

Dave Bittner: [00:28:14] Oh. They're...

Joe Carrigan: [00:28:15] Those are Skerple pens.

Dave Bittner: [00:28:16] They're the Skerple pens.

Joe Carrigan: [00:28:17] (Laughter) Right.

Dave Bittner: [00:28:18] So they are.

Joe Carrigan: [00:28:19] If you Google Skerple - S-K-E-R-P-L-E - and just go through the images, you'll see how good of a fake logo - this is the best one I've ever seen. You know, that's using something very close as an image to...

Dave Bittner: [00:28:32] Right, even the shape of the object itself.

Joe Carrigan: [00:28:34] Right. Exactly. It's a knockoff Sharpie pen what - is what it is.

Dave Bittner: [00:28:37] I see.

Joe Carrigan: [00:28:37] I don't even know if they still make them. I like when he talks about humans being lazy, social creatures of habit, and I like the Ikea effect being the flip side of the sunk cost fallacy. That's an interesting thing. Again, you're using the same phenomenon for good or for bad. I guess when you're phishing somebody in the example, yeah, you're relying on the sunk cost fallacy. But, you know, a lot of these cognitive processes have, of course, good and bad effects.

Dave Bittner: [00:28:58] All right. Thanks to Perry Carpenter for joining us. The book is "Transformational Security Awareness: What Neuroscientists, Storytellers and Marketers can Teach us About Driving Secure Behaviors."

Dave Bittner: [00:29:08] That is our show. We want to thank all of you for listening.

Dave Bittner: [00:29:10] And of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Think of KnowBe4 for your security training.

Dave Bittner: [00:29:27] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.

Dave Bittner: [00:29:34] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:29:52] And I'm Joe Carrigan.

Dave Bittner: [00:29:53] Thanks for listening.