Cybercriminals are increasingly employing social engineering tactics to catch people when theyโre exercising what psychologist Daniel Kahneman callsย โSystem 1โ thinking: A mode of cognitive processing characterized by making quick decisions and judgments based on patterns and experiences.ย
Many of us have shared the following experience: Youโre going about your day when you receive a text saying your package from Amazon couldnโt be delivered and you need to log into your account to resolve the issue. The thoughts that cross your mind in response could range from, โIโd better get this handled,โ to โWait, did I even order anything from Amazon?โ to โHold on, is this legit?โ
In a perfect world, we would all pause to question the validity of the text message. But for many of us, ecommerce is so deeply engrained in our lives that itโs not uncommon to receive packages we donโt even remember ordering. Socially engineered attacks are particularly effective during peak shopping seasons, when consumers are even more busy and relying on โSystem 1โ thinking, but consumers and retailers alike must stay vigilant year-round.
This is especially pertinent as bad actors increasingly leverage artificial intelligence (AI) to carry out more sophisticated attacks at a higher volume. One study found that IT leaders have observedย AI-backed phishing attacks increase 51%. Additionally, theย FBI recently issued a warningย that cybercriminals are using generative AI to make the language in their attacks more convincing by eliminating some of the telltale signs of a scam, like spelling and grammatical errors.
Below, weโll explore the cognitive biases that make socially engineered attacks successful, followed by strategies consumers and retail application developers can use to enhance security.
The 5 Biases Behind Social Engineering
1. The halo effect.
The halo effect refers to peopleโs tendency to trust brands they have a positive impression of.ย 29% of phishing attacksย exploit this bias by posing as a trusted entity to lure in unsuspecting consumers. A notable example of this is theย American Express email phishing scamย that tricked cardholders into opening a malicious email attachment to gain access to their accounts.
2. Hyperbolic discounting.
Hyperbolic discounting refers to humansโ preference for smaller, immediate rewards over larger, delayed rewards, which isย what makes discounts so irresistible. Cybercriminals exploit this bias by creating fictitious deals, like when scammersย launched a series of phishing campaignsย to steal consumer data under the guise of shopping deals.ย
3. The curiosity effect.
Cybercriminals take advantage of consumersโ curiosity by presenting them with information that piques their interest in an effort to get them to divulge their private information, like theย fake delivery notice phishing scamsย discussed previously.ย
4. The recency effect.
The recency effect refers to peopleโs tendency to focus their attention on urgent or recent matters. Cybercriminals have capitalized on this bias by sendingย out fake Box notificationsย alerting users that someone is trying to share a file with them, compelling them to take immediate action.
5. Authority bias.
Authority bias taps into peopleโs tendency to attribute credibility and validity to entities they perceive to be in a position of authority. Bad actors have been known to distribute phishing emailsย impersonating organizations such as the U.S. Supreme Court, or even peoplesโย bosses.ย
Shopping Smart: How Consumers can Avoid Socially Engineered Scams
Being cognizant of the biases above is critical to avoid falling prey to socially engineered scams. These attacks rely on โSystem 1โ thinking, so carefully reading emails and text messages, double-checking that URLs are legitimate and pausing to think before sharing personal information goes a long way in avoiding these attacks.
Consumers should also enable multi-factor authentication (MFA) and opt for strong authentication methods, ideally those that are passwordless (more on this shortly), whenever available. Additionally, as AI-powered attacks become more common, consumers need to educate themselves on what these types of scams look like, whether itโs advanced phishing emails or hyper-personalized spear phishing attacks.
The Application Developerโs Role in Bolstering Security
When it comes to preventing socially engineered attacks, much of the responsibility lies in the hands of retail app developers. Itโs up to them to set consumers up for success by providing robust authentication methods that are easy for users to opt into and use.
Passkeys are a user-friendly, phishing-resistant authentication method that eliminates the need for passwords by verifying a userโs identity via cryptographic key pairs. In fact, testing conducted by Google revealed that passkeys have aย 50% higher success rate and enable logins twice as fastย as password-based systems. In addition to providing better security, passkeys also improve the user experience (UX) by reducing friction, which is whyย the worldโs largest online retailer, Amazon, has implemented them.
Providing MFA options is another way retail app developers can secure consumer information. Magic links, for example, let users further verify their identity by simply clicking a unique, time-sensitive URL. For an added layer of security, app developers also can enact step-up authentication as part of their MFA strategy, requiring extra verification before sensitive actions like high-value cart transactions. Both passkeys and magic links make it significantly more difficult for attackers to access consumersโ accounts, even if theyโve already successfully phished their passwords.
Socially engineered attacks in retail arenโt going anywhere. They take advantage of the very cognitive biases that make us human, and thatโs precisely why theyโre so effective. These scams will only become more frequent and successful as cybercriminals increasingly leverage AI to carry out their digital assaults.
To thwart these attacks, consumers must be aware of their inherent biases and take every precaution they can to protect themselves, and itโs up to retail app developers to provide them with ultra-secure and user-friendly authentication and MFA methods to do so. Adopting the strategies above is a win for everyone: consumers benefit from a more secure, seamless shopping experience, and retailers drive more sales by fostering trust and convenience.
Rishi Bhargava is Co-founder at Descope, a developer-first authentication and user management platform. In a career spanning over 20 years, Bhargava has run product, strategy, go-to-market and engineering for category-creating cybersecurity startups and large enterprises. Before Descope, he served as VP of Product Strategy at Palo Alto Networks, which he joined via the acquisition of Demisto. Bhargava was a co-founder at Demisto where the company pioneered the โsecurity orchestrationโ category before being acquired. Prior to Demisto, he was VP and GM of the Datacenter Group at Intel Security and launched multiple products at McAfee (acquired by Intel).
