Deception

Deception is to mislead by false appearance.

wolf in sheep's clothing

Reports about cyberattacks relate how “hackers” were able to “hack” systems.  Often the analysis of the cyberattacks discusses the malware the hackers used. Sometimes the analysis discusses spearphishing and how users need to be trained to avoid being spearphished. But —-

Spearphishing Training Doesn’t Work!

Spearphishing training doesn’t work because of the convergence of three factors in email:

  1. Email displays what the sender (attacker) wants to display
  2. Attackers lie
  3. The human mind processes email using urgency clues and perceived relevance, factors easily manipulated with lies.

Consider the classic email warning — “Don’t open suspicious emails.”  Bad guys understand that users are trained not open suspicious emails. That is why bad guys lie and cheat to send emails that are not suspicious. Bad guys send emails that pretend to be from banks, FedEx, the IRS, colleagues, professional organizations, customers. etc., etc.  Bad guys steal the trust reposed in honest senders by lying. Bad guys manipulate the data email users see.

Admiral Rogers posed the crucial question  – [W]hat happens when suddenly our data is manipulated, and you no longer can believe what you’re physically seeing?  The answer — Deception.  Spearphishing is nothing more than the application of deception in email.

SP Guard fights deception in email.