Next time you need to scare someone into action (a boss, a client, a vendor, your child), make up a term for the risk that may occur, and make sure the name you make up is long and hard to pronounce.

In Studies 1 and 2, ostensible food additives were rated as more harmful when their names were difficult to pronounce than when their names were easy to pronounce;
[...]
In Study 3, amusement-park rides were rated as more likely to make one sick (an undesirable risk) and also as more exciting and adventurous (a desirable risk) when their names were difficult to pronounce than when their names were easy to pronounce.

Hat tip: Bruce Schneier.

I know sms fishing attacks (known as smishing) are nothing new, but based on a recent smishing attack I received, it looks like combining phishing attacks with phone numbers has made it possible for attackers to increase the attack effectiveness. Previously, phishers went by the same methods that spammers popularized ages ago – send your message to as many people as possible, and try to make it applicable to as many people as possible. Given the low conversion rates (Gartner estimates 3.3%), you need it to be seen by many people in order to have a few successful scams. That’s why phishing attacks always seemed to attack places like Paypal and bank of America – they had more customers, and therefore more people getting the fake email were likely to be fooled.

With that in mind, I was surprised when I got the following text message a few weeks ago:

This is an automated message from Lafayette Credit Union. Your ATM card has been suspended. To reactivate, call urgent at 888-xxx-xxxx.

I had never even heard of Lafayette Federal Credit Union before, and found it odd that a scammer was targeting such a small financial institution. A few days later I got another similar message purporting to be from FedChoice federal credit Union – another small financial institution. What I soon realized though is that both of these credit unions are local to the Washington DC area, and my cell phone has a 202 (Washington DC), area code. The scammers have decided to improve their business model. They’re targeting credit unions around the country and only sending people attacks that purport to be from local credit unions. In this way they hope to increase their conversion rate by only sending people relevant attacks.

I’m a little behind on my reading, so I only just got to the January issue of the ISSA journal. In it was one of the best articles I’ve read on social engineering. The problem with most articles (or at least the ones I read), is that they approach social engineering from a technical perspective. However, far from what the name implies, social engineering is not in any way related to any of the engineering disciplines. SE is nothing more than a fancy name for a scam that happens to involve a computer. Rather than treat the SE threat as a technological threat, we should be treating it the same way we treat all scams – as a purely human threat and not a technological one. We should be turning to psychologists for help in tackling the problem, not networking experts.

In this article Dan Timko reports on research done by Robert Cialdini on the psychology of influence. Cialdini enumerates 6 basic methods people use to influence others. They are:

• Reciprocation
• Commitment and Consistency
• Social Proof
• Authority
• Liking
• Scarcity

I’m not going to go in depth into each of these, but if you’re interested, here is a good summary of each. Suffice it to say that these methods are by no means limited to marketers – scam artists (sorry,”social engineers”) use all 6 without even necessarily knowing it.

The solution to scam of all sorts, just like the threat, should be based on social science and human behavior, not technical countermeasures (although they do certainly have their place). While Dan recognizes and says this, he does not stick true to those principles, concluding only that the best defense against social engineering is a strong security policy, user education, and the rest of the things ISSA members have been preaching for ages. If you ask me the solution (if there really is one) to social engineering will not come from someone with a CISSP, CISM, or CISA, but from someone with a PhD in psychology. The quicker we realize that, the quicker we can come to a real solution.