It was back in 2017; whilst I was co-writing an article with Dr Ian Levy; the Technical Director at the NCSC, that I first used the term ‘inbox hypnotism™’.
It seemed to perfectly describe the symbiotic state someone lost within their emails slips into, as their subconscious takes greater responsibility for peripheral processes.
Being; ‘In the zone’, is perhaps its more commonly known cousin, associated with a fierce level of productivity, bereft of the interruptions humans usually succumb to.
It’s this state that scammers try to leverage with their social engineering, most commonly via time pressure; or severity of consequences for the victim if they fail to act urgently. When presented with information that triggers either or both of these states, a scammer is hoping the victim will kick into ‘the zone’, scrambling an important antidote to their crimes; having the space and time to truly consider what’s being asked of them.
Scammers are fully aware of the conditions they are trying to create within the victims world. But it’s a fragile world they build; and very small details (crucial red flags have no minimum size requirements) can make the difference between success and failure.
This is why awareness is so important. You are creating a library of references the subconscious can refer to during the times of hyper-focus, and stress. This library also needs variety – not just in the topics, but also in the format and what triggers its retrieval.
And scammers know this all too well; at least the good ones do, anyway. Which is why they use social engineering techniques to upset the connection between your internal threat library, and the ‘getting sh*t done’ you. I used it extensively during my offensive social engineering days, and it can be a real weapon, even against technology.
So next time you’re blasting through your inbox – try and think back to any checks you may have done to see if the last few emails were genuine, or was it all assumed genuine – as you’d seen no red flags. It might surprise you how little the threat library is consciously referred to, and that in essence is the hypnotic state I’m referring to. Built through years, if not decades, of (hopefully) incident free messaging behaviour, it’s a powerful tool for a threat actor to use against you.
I offer very tailored threat awareness that works alongside, or in addition, to the more ‘conventional’ solutions out there. My focus is on helping people understand the story of the crimes that will target them as an employee, and provides a framework for storing this knowledge. The mind loves a story – and a story of good Vs evil is about as cool as it gets.
If you want to increase email security awareness and threat understanding at your organisation, let’s talk: firstname.lastname@example.org