Cybersecurity Challenges for Psychologists and the Trauma of Cybercrime

Something I didn’t expect when arriving at the crossroad between business and psychology is that I would become an immediate target of interest for cybercriminals. I feel like this experience isn’t widely and openly discussed among psychologists, which I find surprising given the prevalence of these attacks.

Since launching my website and social media accounts, I have experienced daily (sometimes multiple times per day) communications disguised as account security alerts and calls for help. Most of these are intended to steal valuable information, and some are intended to steal financial capital.  

Fortunately, most of these attacks are very basic and easy to spot, such as Facebook messages from accounts with generic usernames stating that my account is in violation of community guidelines. Unfortunately, some are much more targeted and insidious, such as emails from people that I know asking for my help. Due to this onslaught of cyber harassment, I wanted to not only update my current awareness of hacking strategies, but also share this information with you, so that you may best protect yourselves as well. 

Traditionally, cyber attacks were targeted at systems, but as those systems have evolved, attacks have evolved alongside them, and now target the humans behind the systems. According to Sumner & Yuan (2019), the most common cybercrime technique used these days, is known as “social engineering.” Social engineering techniques are meant to exploit human emotions and manipulate people into letting their guard down.

Social engineering is often defined as a strategy that targets “human weakness.” Personally, I find this definition a bit problematic. Perhaps from a cyber security standpoint this definition makes complete sense, but in reality, people are not programs and the things that make us vulnerable to cyber attacks can be strengths, not weaknesses (e.g., responsiveness, supportiveness, a desire to help others, openness, belief in the goodness of people). 

So, what are the most common types of social engineering attacks? Phishing, and the more insidious spear phishing. Most people working for larger corporations are familiar with the aptly named phishing attacks. These attacks are usually quite general in nature, and often impersonate (spoof) trusted companies and websites in order to fish for information. Phishing attempts usually involve tricking individuals into opening an email and either clicking a link within the email (taking your information and compromising your browser) or downloading an attachment (a trojan horse of malware that will compromise your computer).

Spear phishing however, is a highly nuanced version of phishing that is so dangerously effective that it now makes up the majority of cyberattacks. This technique involves a more direct attack, in which a person is researched and targeted (the spear aspect). Individuals being spear phished will receive an email, direct message, or text pretending to be someone known to the target. In order to be believable, attackers will do their best to create fake profiles or email accounts in an attempt to impersonate someone you know and trust. 

This technique requires a certain amount of targeted internet stalking to be effective. Cybercriminals will pull information from your social media presence (Facebook, Instagram, LinkedIn, etc.) and your business’ website as well. They may also look at your known contacts (family, friends, colleagues, employer, etc.) and stalk their profiles, in order to better disguise their attack as a trustworthy message. 

The first step in protecting yourself from a cyber attack is becoming informed, and learning how to identify attacks. One thing all of these attacks have in common is that they ask you to perform a task, whether it be following a link, filling out a form, sending them a code, running an errand, purchasing something, and so on. If you notice that you receive a message (even from a loved one or an authority figure) asking you to complete any task (especially urgently), take a moment to step back and examine the message and sender’s account. You may find out very quickly that it is a spoofed account. 

To those who have experienced these attacks: please know that there is nothing to be ashamed of. These attacks are generally targeted at people who are agreeable, empathetic, kind, and want to help others. I know that these experiences can make us feel targeted, vulnerable, and unsafe. This is a normal reaction. Being the victim of a cybercrime can be a traumatic experience.

According to a RUSI 2024 report on the consequences of cyber attacks, the psychological impacts of these attacks often go unexamined and undiscussed. Anger, stress, worry, panic, fear, low mood, guilt, self-blame, self-doubt, and feelings of helplessness have all been observed in response to cyber attacks. These are normal reactions. 

As technology becomes more advanced, there will be more and more ways to easily impersonate real individuals online or over the phone (voice phishing is gaining popularity). Taking the time to read further on this topic and inform yourself about the best strategies for identifying these attacks can help empower you to better navigate life online in the era of cybercrime. 

If you have recently experienced a cybercrime, please reach out for support (friends, family, mental health professionals) and know you are not alone. These crimes are very common, but rarely discussed.

Sources:

Eftimie, S., Moinescu, R., & Racuciu, C. (2022). Spear-Phishing Susceptibility Stemming From Personality Traits. IEEE Access, 10, 73548–73561. https://doi.org/10.1109/access.2022.3190009

Royal United Services Institute (RUSI). Occasional Paper, January 2024. ISSN 2397-0286 (Online).

Sumner, A., & Yuan, X. (2019, April 18). Mitigating Phishing Attacks. Proceedings of the 2019 ACM Southeast Conference. https://doi.org/10.1145/3299815.3314437 

What is Spear-phishing? Defining and Differentiating Spear-phishing from Phishing. (n.d.). Digital Guardian. https://www.digitalguardian.com/blog/what-is-spear-phishing-defining-and-differentiating-spear-phishing-and-phishing

What is Spear Phishing? Definition with Examples - CrowdStrike. (2024, January 22). Crowdstrike.com. https://www.crowdstrike.com/cybersecurity-101/phishing/spear-phishing/