Business Management

Unconscious bias … how cyber criminals are using this against you!

Debra Cairns Debra Cairns
 •  8 mins read
 •  Business ManagementLegal ComplianceSecurity
Unconscious bias … how cyber criminals are using this against you!

Unconscious bias … how cyber criminals are using this against you!

Cyber criminals continually evolve their techniques to increase the likelihood of their attacks delivering a successful outcome.

Social engineering is not a new approach. This manipulation technique exploits human error through “human hacking” to gain private information, access to systems and data, financial information or cash.

Cyber criminals are engaging with your employees in a psychological game to manipulate their human reactions, and they are also using their unconscious bias against them to increase the likelihood of a successful outcome for them.

Research suggests that unconscious bias occurs near-automatically, without a second thought. The brain makes a quick judgement based on your past experiences, background, prior beliefs and stereotypes.

The most common attack vector through which unconscious bias is being used will not come as a surprise but if you weren’t aware, email is easily and most often manipulated by cyber criminals. However, beware that unconscious bias is also exploited
via voice, SMS, WhatsApp and website popups.

Let’s explore the most common examples in a little more detail and how they are exploited:

Curiosity effect

We are all a bit nosy; secrets, gossip, and limited offers all drive you to interact with the cybercriminal. A real-life example: you receive the message “Take a look at these scandalous photos from our Christmas party”. If you open the files to look, a virus, malware or ransomware attack could be launched in the background.

Authority bias

This leverages naivety two-fold. Your CEO, the police, or the local MP would never do anything wrong or illegal, therefore the communication you have received must be from a genuine person!

A real-life example: you receive an email stating you have been caught speeding and must pay today via this link and your penalty will be reduced. You access the link, and an attack is launched in the background, or you hand over your financial information.

Optimism bias

This is the overestimating of the possibility of a positive outcome, sometimes referred to as the “too good to be true” effect. These often come through as fake job offers, insider information or promotions, and pay increases.

A real-life example: you receive an offer for your dream job, with a request to submit your CV today. You are handing over a significant amount of personal data that can be used against you in a future attack.

Recency effect

Cybercriminals exploit this by referencing current or recent events and engaging on those topics because you remember those best. This can also come in the form of referencing a recent event you may have attended or promises to help you avoid a recent cyberattack happening to you!

A real-life example: you receive an email stating that you are at risk of a cyberattack which is a repeat of a recent well documented case and being asked to enter your credentials to access information to stop this from happening today.

Hyperbolic Discounting

Who doesn’t love a discount, bargain or special offer? It is human nature to prioritise immediate rewards over long-term benefits, even when the immediate reward is lesser. In this scenario, the cybercriminal will offer the option of an immediate reward rather than a future option. Adding a future offer can make the offer seem more genuine.

A real-life example: sign up for an account with us today and receive £100 cashback on your first order, only valid for 24 hours after which you will only receive £50 cash back. If this directs you to a fake website, you are handing over your personal and, potentially, financial information to a cybercriminal. If you set up an account using a password that you use somewhere else, they can attempt to access everything you have associated with the email address you have used!

Halo effect

We all have positive and negative default feelings about individuals, brands, products, and companies. The cybercriminal in this case focuses on potentially positive feelings to drive you to react or start an interaction with them.

A real-life example: A private social media message from a celebrity you follow offering a chance to meet and greet. All you need to do is provide your credit card information or buy a ticket for a chance to win! Once you complete the transaction, they have your personal and, potentially, financial information.

Loss aversion

We all want to avoid a loss or negative action. In this instance, the cybercriminal will drive your psychological or emotional perception that your lack of action will lead to a greater or more severe loss.

A real-life example: You receive a phone call telling you your bank account has been compromised. They ask for your account details and passwords, and once you provide this information, they have full access to your real account.

Ostrich effect

This is your tendency to avoid things you perceive as negative or dangerous. This can include completely ignoring information on negative or dangerous topics.

While this can mean the individual completely ignores the cyberattack and, therefore, it is unsuccessful, the greater risk here is they have been subjected to a successful attack and then ignored it, pretended it didn’t happen, and hoped it would go away,
which includes failing to report it.

A real-life example: You have provided your company system passwords and realised this was a cyberattack but do not tell anyone about this. While this goes unreported the cybercriminal has full access to your company systems and accounts.

Habit

We are all creatures of habit; if the cybercriminal gains knowledge of your personal habit or industry habits, they can exploit this to get the reaction they want.

A real-life example: most house sales conclude on a Friday, therefore targeting conveyancing law firms to redirect funds is most likely to happen at this time.

How do you reduce the human risk?

Human behaviours and personalities also have a role to play. If we were to do a deep dive here, it would take days, weeks or even months to fully explore. But it would also be remiss of us to ignore it!

Every business balances a myriad of personalities when it comes to cyber security: From those to already know it all, to those who are terrified and do not want to engage in anything on the topic, to those who believe they will never be a victim, to those who are thirsty for knowledge. Let’s look at how you can reduce risk and consider how to balance/address some of the personalities and behaviours you are working with.

The first thing to consider, which will not come as a surprise, is training! You need to be conscious not to overload or overwhelm your employees, as this can cause them to not engage, put it off due to fear, or delay it hiding behind other priorities. You wouldn’t allow any employee to start work without appropriate training, so how can you expect them to protect your organisation from cyberattacks without training?
We’d advise:

  • Continuous and regular, bite-sized training
  • A combination of online and face-to-face
  • Relevant training that is role-specific
  • Include training to protect them at home; they will bring this behaviour to the office
  • Accountability and reward

Phishing simulation exercises

Hidden amongst day-to-day emails, these are very effective. Start easy and progress to more difficult-to-spot examples. Your employees want to be seen as doing a great job, so if they are aware that these types of emails are coming in, they will pay more
attention to ALL emails. This type of training is also great for those employees who are arrogant about cybersecurity and say, “You can’t catch me out!” This is a win/win, as you either catch them or they become even more diligent to never get caught.

Sharing organisational results and statistics

Share statistics to show how your organisation is being targeted, including both near misses and successful attacks. We forget that we are victims of crime if we are subjected to a successful attack, and as a result, we try to hide this from the world.


By sharing this information, such as email filter results and details of how attacks happened and were avoided, you can increase engagement from those employees who believe they and your organisation would never be a target. Sharing how these attacks
present themselves will help employees to be better prepared.

No blame culture

If you want an organisation that openly reports everything, including when they have made a mistake, then a no blame culture is critical!


Net-Defence offers robust support to help organisations foster a healthy and collaborative cyber security awareness where every member of staff is informed and equipped to deal with cyber threats. To find out how we can help your organisation
defend itself from evolving threats, contact our specialist team today.

About the author
Before joining Net-Defence, I worked for multinational consumer goods corporation, Proctor & Gamble (P&G), gaining over 19 years of finance and IT experience that I have brought with me to my current role. From 2018 onwards, I have worked for Net-Defence, and in 2020 stepped into the role as Managing Director, building a team of...
Debra Cairns' profile