It was back in 2017; whilst I was co-writing an article with Dr Ian Levy; the Technical Director at the NCSC, that I first used the term ‘inbox hypnotism’.
It seemed to perfectly describe the symbiotic state someone lost within their emails slips into; as their subconscious takes greater responsibility for peripheral processes. Being; ‘In the zone’, is perhaps its more commonly known cousin; associated with a fierce level of productivity, bereft of the interruptions humans usually succumb to.
It’s this state that scammers try to leverage, most commonly via time pressure, or severity of consequences for the victim, if they fail to act. When presented with information that triggers either or both of these states, a scammer is hoping the victim will kick into ‘the zone’, scrambling an important antidote to their crimes; having the time to truly consider what’s being asked of them.
Obviously scammers are fully aware of what conditions they are trying to create within the victims world. But it’s a fragile world they build; and very small details can make the difference between success and failure for them.
This is why awareness is so important. You are creating a library of references the subconscious can refer to during the times of hyper-focus, and also stress.
And scammers know this too… Which is why they use social engineering techniques to upset the connection between your threat library and the ‘getting sh*t done!’ you. I used it extensively during my offensive social engineering days, and it can be a real weapon, even against technology.
So next time you’re blasting through your inbox – try and think back to any checks you may have done to see if the last few emails were genuine. It might surprise you how little the threat library is consciously referred to, and that in essence is the hypnotic state I’m referring to. Built through years, if not decades, of (hopefully) incident free messaging behaviour, it’s a powerful tool for a threat actor to use against you.
I offer very tailored threat awareness that works alongside, or in addition to the more ‘conventional’ phishing exercises. My focus is on helping people understand the story of the crimes that will target them as an employee. The mind loves a story – and a story of good v evil is about as cool as it gets!
If you want to increase cyber resilience and threat understanding at your organisation, let’s talk: [email protected]