Spy Secrets Revealed: Cyber Criminals Recycle Spy Tradecraft

There are many similarities between the tactics used by spies in traditional clandestine operations around the world and those used by cybersecurity threat actors. Both rely on recruiting people to willingly or unwillingly provide access to sensitive, guarded information. In the case of a traditional spy, the goal is for governments to gather, analyze and sometimes influence information important for national security and a country’s strategic interests. A threat actor’s objective is to obtain the credentials and foothold into an organization to harvest information to sell for profit or to use to commit crimes.

According to Shawnee Delaney, Founder and CEO at Vaillance Group, and globally recognized expert in human risk management, insider threat, and security investigations, “Social engineers and cybercriminals, they are not inventing anything new. They are essentially recycling spy tradecraft.” Let’s take a look at some of these tactics.

Masters of manipulation

Successful cybersecurity threat actors are masters of manipulation, often exploiting human emotions, particularly fear, to achieve their malicious goals. By crafting messages that create a sense of urgency or panic, such as fake warnings about compromised accounts, unpaid bills, or impending legal actions, they pressure people into acting without thinking.

These social engineering tactics prey on our instinct to resolve perceived threats quickly, leading victims to click on malicious links, download harmful attachments, or provide sensitive information like login credentials. Fear is a powerful motivator, and cybercriminals use it to bypass our rational judgment, making even the most cautious individuals vulnerable to their schemes. Recognizing these emotional triggers is key to staying vigilant and protecting ourselves from falling into their traps.

Authority bias

People can be particularly vulnerable to manipulation through malicious emails and messages from perceived authority figures due to a psychological phenomenon known as authority bias. This bias stems from our innate tendency to comply with requests or instructions from those we view as having power, expertise, or influence.

Cybercriminals exploit this by impersonating managers, executives, or other authoritative figures, crafting messages that create a sense of urgency or obligation. For example, an email appearing to come from a CEO might request sensitive information or immediate action, leveraging the recipient's desire to please and avoid disappointing someone in a position of power. The fear of repercussions or the instinct to follow orders without question can override critical thinking, making individuals more likely to fall victim to phishing scams or other forms of social engineering. This highlights the importance of fostering a culture of skepticism and training employees to verify requests, even from trusted sources, before taking action.

Reciprocity and curiosity

Reciprocity and curiosity are two psychological triggers often exploited in malicious emails to entice people into clicking on harmful links. Reciprocity plays on the human tendency to feel obligated to return a favor; for instance, an email might offer a free gift, exclusive discount, or helpful resource in exchange for clicking a link. This creates a sense of indebtedness, prompting the recipient to act without fully considering the risks.

Curiosity, on the other hand, taps into our innate desire to uncover the unknown. A cleverly crafted subject line like "You won't believe what we found out about you!" or "Urgent: Unclaimed funds in your name" can spark intrigue, leading recipients to click out of a need to satisfy their curiosity. Together, these tactics create a potent psychological pull, making even cautious individuals more susceptible to falling for phishing schemes.

Preying on our emotions

Much like spies, cybercriminals have become very adept at preying on the emotions of their targets. They prey on greed by crafting enticing messages that promise financial rewards, lottery winnings, or exclusive deals, prompting victims to click on harmful links or share sensitive information. Similarly, they exploit our helpful nature by posing as trusted colleagues, friends, or authority figures in distress, creating a sense of urgency that lowers defenses and encourages quick, uncritical action. By combining emotional manipulation with social engineering, these tactics effectively deceive individuals and open the door to cyberattacks.

Additionally, cybercriminals leverage over-confidence, routine, and complacency to further their schemes. Many individuals believe they are too savvy to fall for scams, skim emails during busy routines, or rely too heavily on organizational security measures, making them less vigilant. By mimicking familiar patterns, such as work-related requests, package updates, or financial notices, and using AI tools to personalize messages based on social media activity and online behavior, cybercriminals create highly convincing emails. These tailored messages reference specific details, such as recent purchases or professional milestones, making them appear authentic and increasing the likelihood of engagement.

The act of not acting

Shawnee Delaney offers a great piece of advice for people who may find themselves on the receiving end of cybercriminal spy-like tactics, either in their work or personal lives, “I always tell my kids that if they get an email or a phone call…and it makes them feel a big emotion, that they should not do anything.”

When people encounter a time-sensitive email or message that could potentially be malicious, it’s crucial to resist the urge to act immediately. Cybercriminals often exploit urgency to bypass rational decision-making, prompting hasty actions like clicking on harmful links or sharing sensitive information. Pausing to verify the authenticity of a message can be the difference between falling victim to a scam and safeguarding personal or organizational security.

Simple steps like checking the sender’s email address or contacting the sender through a trusted channel can help confirm legitimacy. By prioritizing caution over speed, individuals can protect themselves and their organizations from phishing attacks and other cyber threats. 

Learn more

This blog only scratches the surface of our discussion between Shawnee Delaney and Mimecast’s Chief Marketing Officer Adenike Cosgrove and Chief Product Officer Rob Juncker. Watch the full session, Spy Secrets Revealed: Mastering Human Risk, and while you’re at it, get exclusive access to Mimecast’s Cybersecurity Awareness Kit, which contains best practices for IT, security, and business leaders as well as helpful user training for employees.