Human evolution, Amygdala Hijacking and Phishing attacks

Believe it or not, millions of years of human evolution have done much more than we can imagine for the issues we face daily in the digital world – like phishing, smishing, vishing, quishing – you name it. 

Being human is the key reason for being phished.

Let’s talk a bit about phishing first, and smishing and all the other -ishings as well. The interesting spelling starting with “ph” comes from the word “phreaking”, which was used to describe activities of experimenting, exploring, and studying telecom systems. 

In the 1960s, “phreaks” were early-day hackers, some of them were experimenting by doing pranks, interestingly Apple co-founder, Steve Wozniak was one of the phreaks in the early days.

I could not resist to share a short story about Steve Wozniak’s “phreaking”. 

It was in 1972, when Steve Jobs and Wozniak learnt about the then-popular device, “blue box” used by phreaks to generate the in-band signalling tones to switch long-distance calls, and Wozniak’s technical mind got curious, and he designed his first printed-circuit board for blue boxes. 

They tried to make a prank call to the Vatican and almost got the Pope to wake up, pretending to be Henry Kissinger. Steve Jobs decided to sell the blue boxes. The blue boxes paved the way for Apple, as Steve Jobs told his biographer later. 

The word “phishing” was used for the first time on January 2^nd, 1996, in a Usenet newsgroup ‘AOHell’ and the credit goes to Khan C. Smith, a prolific hacker, spammer, and technology developer. 

The first phishing attacks were emails to AOL users to click links to verify their account, where their passwords were stolen and “AOHell” was used to generate random credit card numbers to create fake AOL accounts. The motivation was identity and account takeover, which has remained consistent even today.

As per Verizon DBIR 2023 (https://www.verizon.com/business/en-gb/resources/reports/dbir/), 74% of all breaches in the digital world involved human elements, including phishing and stolen credentials and it is no surprise that 95% of the breaches were financially driven. 

A new phishing site is created every 11 seconds, as per dataprot.net (https://dataprot.net/statistics/phishing-statistics/)

Let’s define phishing so that we are on the same page; phishing is the fraudulent practice of sending messages, pretending to be from known, reputable companies or individuals to induce the victim to reveal personal information or perform some online action like clicking on links.

There are generally 7 types of phishing attacks:

1. Email-based phishing: This is the original form of phishing and the oldest one, where email is the medium used for phishing. This one is generally not targeted, and the phishing email is sent to a large user base.
2. Spear phishing: This is a bit more sophisticated and targeted phishing attack, where the attacker has collected personal information about the victim to establish credibility while sending the phishing messages.
3. Whaling: Whaling is a form of Spear phishing attack, where senior executives are targeted. In this form of phishing, the attacker may pretend to be a senior executive, e.g. the CEO and try to establish authority over the victim in the messages.
4. Smishing: Smishing is a form of phishing where SMS is used as the messaging channel.
5. Vishing: Voice is used as the channel to communicate with the victim.
6. Quishing: This is a relatively recent phishing attack vector, where a QR code is used which points to a disguised website to perform the phishing attack.
7. Angler phishing: This is also a relatively recent attack form, where social media is used to let the victim on links.

Let’s come back to human evolution. Our survival instincts allowed us to develop two distinct types of information-processing units within our brains:

• The frontal lobe is the rational information processor, it takes time to process the information including emotional control and is part of conscious decision-making. 
• The second part is the amygdala, which generates the fight or flight response. It processes the information as a threat and triggers instantaneous processes without our control, emotionally charged. The amygdala has been critical in our evolution and survival to detect the threat and respond in the most time-optimised way.

Of “Thinking Fast and Slow” fame and Nobel laureate psychologist, Daniel Kahneman concluded the same in an interesting System 1 and System 2 thinking model. 

System 1 is intuitive, instinct-based, automated thinking. Whereas System 2 is the more complex, rational and logical thinking. System 1 is like the amygdala-driven emotional process.

What does this have to do with phishing? 

This is where things start to get crazy and scary. 

Let’s talk about Amygdala Hijacking. Bestselling author and psychologist Daniel Goleman coined this term in his phenomenal book: “Emotional Intelligence: Why It Can Matter More Than IQ.” 

Amygdala hijacking forces an immediate emotional response, bypassing the rational brain, where System 1 takes over the actions. 

Fraudsters induce amygdala hijacking to perform phishing attacks, which then become irresistible. 

Interestingly, the amygdala is also responsible for detecting threats, but Moore’s law-defying technological acceleration somehow outpaced our biological evolution; the amygdala cannot yet manage to catch up and be biologically programmed to detect the threats in the digital world we have created.

A close friend started to receive advertisements for miniature plane models. Being an aviation fanatic, he absolutely loved the advertisements, and without thinking much, he clicked on the links and paid for a stunning miniature plane model only to find out that the item never arrived – classic amygdala hijacking, where the emotional association of the miniature planes was used. 

A business associate received an audio call from the narcotics department mentioning that the package she had sent included some excluded items and there was a fine issued to her. Unless she pays immediately, the matter will be escalated by the authorities.

The call had individuals talking on walkie-talkies in the background, and pressured, she paid the amount only to realise later that it was a scam.

Again, amygdala hijacking was induced, where the fear of being prosecuted, unknown threats and realistic contextual environment (background noise of walkie-talkies) were used.

Psychologist and social scientist Dr. Robert Cialdini has listed seven methods which can be used to induce amygdala hijacking and influence the brain to use System 1, these are the “psychological principles of influence”: authority, commitment, liking, perceptual contrast, reciprocation, scarcity and social proof.

• Authority: The Whaling attack uses this. A message pretending to be from the CEO, a voice call pretending to be from the tax office use this.
• Commitment: Our publicly available information on social media and beyond about our commitments to ideas and goals are exploited to influence phishing messages.
• Liking: Our likes and dislikes are not difficult to curate from social media and public posts, which are then used for phishing messages to make them much more personal and targeted, e.g. in spear phishing attacks.
• Perceptual contrast: This one is one of the most exploited ones. We humans perceive things in comparison to other things, our mental model is relative in most cases. Our brains generally do not detect the difference between a slightly misspelled domain name of a known website, and we are influenced to click on the link, due to the perceptual contrasts.
• Reciprocation: We humans are inclined towards returning favours. Angler phishing utilises this, to get some supposedly useful information in a social media post – we reciprocate by providing our contact details or clicking on a link.
• Scarcity: Different dimensions of scarcity are used to trigger a System 1 response. 
  • Scarcity of time: Urgency
  • Scarcity of the products & services
  • Scarcity of opportunity
• Social proof: Angler phishing utilises synthetic likes on posts to trigger a System 1 response as our brain longs for social proof.

The recent evolution of Large Language Models (LLMs) and the revolution of Generative AI have given phishing attacks new dimensions. 

Before, most phishing messages were easier to spot, as the language used was not that accurate, spelling, punctuation and grammar errors were evident. 

Now with easy access to LLMs, phishing messages generated by LLMs are much more accurate. 

Researchers from The University of Texas published a paper in May 2023: “Generating Phishing Attacks using ChatGPT” [https://arxiv.org/pdf/2305.05133.pdf ]. 

It does not stop there. Attackers are fine-tuning LLMs locally with our social media content, including the content from our contacts, and can also use context based on the “psychological principles of influence” to influence amygdala hijacking, so that phishing messages are not just accurate – they look much more personal. 

Scarily, it does not stop there.

Attackers can fine-tune LLMs using viral content and content known for increasing the level of oxytocin and dopamine in our neurochemical system so that phishing messages will not just be accurate and personal – they will make us emotional.

We can already see the huge spikes in targeted “purchasing scams”, where victims are losing money on scammed purchase links through emotionally driven messages.  

The solution to mitigate phishing attacks through amygdala highjack is to drive a System 2 response from our brain.

Being human is the reason for falling prey to phishing attacks, so the solution must be humanised technology as well. 

The motivation of the attacker of phishing is to either get some secure information from the victim, e.g. password, OTP etc. or influence the victim to perform some action, e.g. clicking on a link, or scanning a QR code. 

The victim is a victim of humanhood and human evolution, as the attacker uses the methods to induce amygdala hijacking. 

What if the human user does not have any secure information to give to the attacker? And no action to perform as well?

In that case, the phishing attack will not succeed even if amygdala hijacking has been triggered, – the victim will not be a victim of humanhood. This is a humanisation of the solution. 

This is exactly what we at Sekura.id have been tirelessly working on. 

The Sekura.id services, enabled by the SAFr platform and delivered through the secure and standard SAFr APIs utilise the superpower of the SIM as a hardware-based, humanised cryptographic engine.

In SAFr Auth, value-added data signals from mobile network operators – SIM Swap timestamp, conditional and unconditional call forwarding flags and also to detect if a human user is in a call for a certain duration and more.

Trained machine learning models provide authentication, fraud management and identity verification solutions without the user needing to process any secrets – passwords, OTPs etc.

The services work seamlessly for the user so that phishing attacks can be mitigated even when amygdala hijacking is a factor and human evolution is not a barrier for security enforcement in the digital world.

Let’s make the world phishing-free – let’s make the world a SAFr place.   

Gautam writes, “I am a technology enthusiast and a futurist & the Chief Technology Officer of Sekura.ID, the global leader for mobile identity services. We provide Identity verification, fraud management, authentication and security services using the insights and signals from the mobile network operators and mobile devices, adding intelligence through machine learning models.

I absolutely believe in humanising of the technological world and am very passionate about this. I work with mobile operators around the world and with industry players on mobile identity and hold patents on Identity and access control. I led the implementation of the mobile identity initiative – Mobile Connect in around 60 mobile operators across 30 countries while I was in GSMA, inventing mobile number verification for the industry.

I have also been an advisor to startups in digital identity, healthcare, the Internet of Things and Fraud and Security management. I recently did a TEDx talk to share my dream of a world without passwords and am the author of several blogs and articles on the humanisation of technology, including metaverse, web3 and IoT. I am a thought leader for digital identity, advocating solving the identity crisis in the digital world and I speak on making the digital world a safer place.”