How to Understand Hacker Tactics

I don’t think people understand how important the psychology of decision-making under pressure impacts the success of cybersecurity awareness training. Let me explain how… First, Stress Impacts Decision-Making. Under pressure, people are more likely to make impulsive decisions rather than carefully considered ones. To proof this theory to my audience, I use an activity during my workshops where I trick them to attempt to answer a question under pressure. For the first few minutes,because I put them on a time pressure, they keep shouting different plausible answers at me until someone reads my question again to see that the question itself, is WRONG. This is exactly what the bad guys do! Most awareness training focuses on teaching employees “what to do” in ideal scenarios but doesn’t prepare them for high-stress situations. Secondly, we forget that human decision-making is influenced by cognitive biases like authority bias (trusting an email because it appears to come from a superior) or urgency bias (responding quickly to avoid perceived consequences). Our trainings today rarely addresses these psychological biases, leaving people vulnerable to well-crafted deception attacks. Thirdly, Multitasking and Distraction Increase Risk! People often make cybersecurity decisions while multitasking or in a state of distraction, which training rarely accounts for. This 4th point is very important- Emotional Manipulation by Attackers Cybercriminals exploit human emotions like fear, greed, curiosity, and even empathy. For example, a phishing email may create a sense of urgency by threatening account suspension or appeal to empathy by posing as a charity. Awareness trainings rarely teaches employees how to recognize and resist emotional manipulation tactics. In 2025, I challenge you to do better! Make sure your trainings go beyond technical instructions and focus on emotional awareness, and practical habits that people can apply in real-world situations. Go past the technical tips and tricks, address the psychology issues. Its people (not robots) we are trying to shape for goodness sake!…tap into their humanity more than the bad guys can! #cybersecurity #informationsecurity #psychology

Attackers only have about six main operating models.   While they have nearly infinite options to exploit your people/process/technology, getting benefit from these attacks comes from one (or more) of these six operating models: ◾ Steal Money - Abuse people or data/systems transfer money directly ◾ Extortion/Ransomware - Threaten people and business capabilities to cause victim to pay money (get decryption key, avoid data disclosure, avoid personal harm, etc.) ◾ Outsourced provider - Sell products, services, and data to other attackers on dark markets such as breaching services, ransomware kits, exploit kits, remote access trojans (RATs), proxy services, bulletproof hosting, compromised accounts/credentials, loads (compromised devices), and 0 Days ◾ Espionage / Data Theft - Obtain data/insights from communications, designs/plans, and more ◾ Prepare for other attacks - Establish access for future damage to the organization and/or attacks on other organizations (partners, suppliers, customers, etc.) ◾ Destruction/Disruption/Defamation - Destroy/disrupt capabilities (systems, equipment, processes, etc.)   Notes: 🔹 Occasionally, they will demonstrate their skills/capabilities to potential customers or to their target/victims, but that tends to be fairly rare) 🔹 Sometimes the same actors also perform influence operations, but these are often aimed at larger populations, demographics, or communities rather than targeted at specific organizations.   This graphic is from the upcoming security matrix work at the open group. We talked about this at a recent webinar describing the overall Security and Zero Trust body of knowledge we are building - https://lnkd.in/ecmGi5Vg

Cybercriminals have an easy-to-use trick to bypass your security controls… It’s called living-off-trusted-sites (LOTS). And it’s LOTS of fun (I'm not sorry for this terrible joke) While it’s not a new technique by any means, it’s a new term I learned to explain this basic technique. It’s where attackers use popular and legitimate websites or applications to conduct part of their attacks. A basic example is an attacker using something like Dropbox to upload stolen files from a compromised system. But let’s look at a cool recent example that Menlo Security Inc. wrote up: 𝟭. 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗘𝗺𝗮𝗶𝗹: The attacker sends the victim a phishing email impersonating Amazon. The email includes a link to a Google Drawings image, which is a graphic prompting the user to verify their account because the account was “suspended” due to “unusual sign-in activity.” The graphic links to an attacker-controlled phishing site. 𝟮. 𝗩𝗲𝗿𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗟𝗶𝗻𝗸: The malicious link is shortened with the WhatsApp URL shortener to hide the true phishing site. When the user clicks on the image, thinking they are about to verify their Amazon account, they are sent to a phishing page resembling the Amazon sign-on page. 𝟯. 𝗔𝗰𝗰𝗼𝘂𝗻𝘁 𝗩𝗲𝗿𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻: After sending their Amazon credentials, the victim is prompted through a series of pages to provide their mother’s maiden name, date of birth, phone number, address, and credit card information. That’s a lot of information that can do a lot of damage to the victim while giving the attacker a good payday. The victim is then redirected to the legitimate Amazon login page. Using LOTS increases the likelihood that the site won’t be blocked by security software, increasing the chances that the user will click on a link in a phishing email and get through. At the same time, once the abuse is identified, those websites/SaaS applications won’t wait around to take down the malicious content. But by that time, the damage is already done.

He didn't know... but someone was reading every word in his emails They were just waiting for the opportune moment... While I was at the bank making my own wire transfer, I got to hear horror stories from the bank teller (I had mentioned in I was working in cybersecurity). She said they had a case where hackers had gotten into a person's email address and then just waited. And waited... and waited... Until the day a wire transfer was due on a big contract. At the last minute, the hacker sent a spoofed email (the domain was nearly identical and they "borrowed" all of the formatting and images from the authentic messages) from the client. The email provided new wire transfer instructions. It being the last day, the person didn't bother calling to verify. They sent the money... And hundreds of thousands of dollars vanished. Moral of the story: Security controls are there for a reason. Like a seatbelt, you don't need them until you really really do. -- Hackers love urgency. Don't play into their hands by waiting until the last minute -- Never be afraid to verify. Call, text, email, sky balloon message - whatever you need to do to triple validate. -- Use strong passwords and MFA on all online accounts. If available, regularly review your login activity and active sessions as well #cybersecurity #hacking #email #security #webapplicationsecurity #databreach

Simplifying The Cybers™ Month - July 22 Say Hello to MATANBUCHUS! Hackers are now impersonating IT help desk staff and calling users directly through Microsoft Teams. Their goal? To convince you to download malware, specifically a strain called Matanbuchus. They use social engineering to make it sound like a legitimate support request. This is more than just phishing and click-dependent email, this is voice-based social engineering on platforms you trust. Here’s how to protect yourself and your team: 👉 Don’t let anyone remote into your device unless you’re 100% sure who they are. Verify their identity through a known internal contact or your company’s official help desk channel. 👉 Turn on multi-factor authentication (MFA) for all your communication platforms, including Teams and email. I KNOW, I say this ALL THE TIME. There is a reason - a large percentage of people and companies STILL don't use it appropriately. IMHO anyway! 👉 If something feels urgent or out of the ordinary, slow down. These criminal Social engineers create a false sense of urgency to bypass your judgment. If something seems off, trust your gut and escalate through the right channels. These kinds of attacks rely on familiarity. Teams feels safe because it’s internal. But bad actors are exploiting that trust. This is happening to companies of ALL sizes, don't think you are too small to be a target. If you’re in charge of cybersecurity awareness at your organization, this is the kind of example worth sharing in your next training session. Stay sharp and be Cyber Safe. Share/repost/comment - do the things, please. #CyberSecurity #SocialEngineering #SecurityAwareness #KnowledgeIsProtection #CyBUrSmart #MATANBUCHUS

Old Tricks, New Tech: How Scammers Repackage Classic Cons Fraudsters may be using AI, deepfakes, and sophisticated cyber tools, but their tactics? Straight out of the classic conman playbook.  When I went through my training to learn how to conduct clandestine operations (which I later used to secretly infiltrate cartels, organized criminal groups, dirty banks, and adversary defense contractors) I was trained by the best. In one particular lesson, a former professional con artist taught me their nuances of deception, manipulation, and the art of gaining trust. Through these lessons I learned that the following “classic cons” still apply today in the era of cybersecurity and AI: 💡 The Impersonator (a.k.a. The Pig-in-a-Poke) – Yesterday’s smooth-talking grifter is today’s deepfake executive. Whether it’s the infamous CEO frauds we are now seeing or a voice-cloned “friend” in distress, the goal is the same: gain trust, then exploit it.   💡 The Urgency Play (a.k.a. The Spanish Prisoner) – The old "act now before it's too late" trick has evolved into phishing emails demanding immediate wire transfers or “limited-time” crypto investment deals. If you’re being rushed, it’s probably a scam.   💡 The Trojan Horse (a.k.a. The Badger Game) – Con artists once sweet-talked their way past front desks; now, they send emails posing as vendors with malicious attachments. If it looks too good (or routine) to question, question it.   💡 The Long Con (a.k.a. The Big Store, à la *The Sting) – Scammers used to cultivate relationships over weeks or months before striking. Today, romance scammers and business email compromise (BEC) fraudsters play the same long game, earning trust before asking for money.   💡 The Bait-and-Switch (a.k.a. The Three-Card Monte) – Once a staple of street hustlers, this trick now lives online in shady e-commerce sites, fake investments, and job scams where the offer changes after you’re hooked.  What’s the takeaway? The tech may be new, but the psychology is ancient. Every scam hinges on trust, urgency, and deception—and awareness is the best defense.  #AI #CyberSecurity #FraudPrevention #StayVigilant #MoneyLaundering #AML #FinancialCrime