Design & UX is cyber body language

Written By James Linton

We digest phishing emails visually, so the design language and user experience they present to us is critical to their success.

Here are a few ways that design is used by cyber criminals.

Exact replication

Phishing emails that poorly replicate legitimate emails have been a red-flag blessing for many years. Stretched logos, unusual fonts, and a lack of skill/care means that scammers have sometimes failed before they’ve even hit send; their visual monstrosities failing to trick even the most carefree of clickers.

Sadly for us the quality of phish is improving, so design is flipping to become not just a red flag, but a green light. And with ‘as a service’ growing in popularity, it’s safe to assume design used as an indicator of trust will increasingly be a problem for users.

I mean if it looks exactly like a duck, it’s a duck, right? Well no, it’s actually someone in a hyper-realistic duck costume.

In-line email prompts, warnings & notifications

There’s no doubt in my mind that providing extra information at critical points during our interaction with email is a good thing. In fact, I can see no better way of assisting a user in making a security decision than being right there in-front of them, at the perfect moment.

design-ux-is-phishing-body-language.jpg

It’s impossible to not develop a visual language for these interjections, and every system; from Gmail to a third party SaaS solution, has it’s own way of doing things.

The problem these systems have is that anything that becomes visually trusted will also be a potential target for abuse. I have seen scammers use dummy warning messages before now, but i’ve not seen it often enough to convince me it’s yet a real problem. In my eyes it certainly has potential for abuse, if for no other reason than counter messages can waggle a screwdriver inside a user’s cognitive biases.

Socially engineering the UX

As a social engineer I am always mindful of what I’m presenting to a potential victim. How will it view on mobile; if they click a link, what does that journey look like? Can I use warnings, or app specific dialogue assets, to increase trust.

It’s actually a lot of fun trying to find elements you can hack, or hijack. Brute force is not just a tactic specific to web apps, you can do it with humans, too.

So look around your emails, take in the visual elements - do any of them trigger a sense of trust? Or add a feeling of authenticity? If so, they might one day be in a scammers box of tricks!

James Linton
Previous

Ask&Do™ - The transactional relationship that gives life to email
Next

CEO vs Scammer