Hacking human nature

O'HaraJim O’Hara, CISM, CISSP, CEH, Information Security Officer

As organizations have improved the technical controls protecting their assets, hackers and fraudsters have adjusted their aim – to human nature.  Why spend countless hours picking at an impenetrable lock when, with a little trickery and sleight of hand, the owner will happily provide the key?  Why don black clothing and a ski mask to risk life and limb committing a crime when you can perpetrate the same act more effectively from your couch?  In your pajamas.

Social engineering attacks have risen to levels not seen since 2004. Attackers prey on a victim’s complacency, good nature, and desire to please.  All characteristics inherent to human nature.

A-phishin’ we will go…

Far and away the most prevalent form of social engineering, email Phishing, has become the fraudster’s weapon of choice.  These types of attacks are relatively simple to perform, and enjoy an incredible return on investment.

Fraudulent email accounts can be created in seconds, at no cost.  Key organizational contact information is just a web search away, often listed on the victim’s own website or social media profile.  Fake websites can be constructed in minutes and hosted for less than a dollar a day.  Each of these elements combine to represent a highly effective and efficient tool for theft.  Theft of identities, reputations, intellectual property, and cold hard cash.


Email phishing attacks typically have one or more of the following characteristics:

  • The email sender appears to be an individual or entity known to the victim. In many cases, the “friendly name” of the sender is identical to an advisor, associate, or organization familiar to the victim.  Only through closer inspection does it become apparent that the actual address used by the sender is fake.
  • The email content appears to be of a pressing, urgent nature. When given a time constraint, humans are more likely to leave caution to the wind, set aside better judgement, and bypass normal procedures.  Attackers often attempt to create a sense of urgency in order to exploit this aspect of human nature.
  • The email contains links. Phishing emails often contain links to fraudulent or malicious websites.  Fraudulent websites are often spot-on doppelgangers of their legitimate peers.  The attacker’s hope is that the victim will attempt to log onto the fake site, revealing their credentials, which the attacker will then use to access the legitimate site, or other accounts of the victim.  Malicious websites often contain malware designed to exploit weaknesses in the victim’s browser.  Once installed this malware may be used to collect credentials, log keystrokes, or perpetrate other criminal acts using the victim’s computer or device.

Protection must remain a top priority at all times

In an increasingly rapid service-on-demand digital age, clients expect transactions to take place almost instantly.  Advisors have a strong desire to please their client by meeting that expectation.  This is human nature.  Making a distribution happen quickly will please the client, and is a “win” for the advisor.  But is it still a win if that quick client distribution is executed based on fraudulent instructions and deposited to an account controlled by a hacker?

The key to thwarting social engineering attacks is recognizing that protecting your clients and their assets is your top priority.  Airline passengers hope to arrive at their destinations on time.  But they don’t fault the pilot for following the preflight checklist, avoiding dangerous weather, or getting clarification from air traffic control when the flight plan seems a little “phishy”.

How to protect yourself and your clients:

  • Be wary of email instructions. Email is the fraudster’s preferred tool because it is effective.  Email should never be relied upon as reliable and authentic.  Even messages from legitimate addresses are suspect, as the sender’s account may very well have been compromised.
  • Keep human nature in check. Instructions or requests attempting to impart a sense of urgency, requiring quick, atypical actions on your behalf should be regarded as especially suspect.  Recognize the potential intent of such tactics and stick to your regular procedures and processes.
  • Pick up the phone. It is highly recommended that advisors verify client distribution instructions in-person or via telephone.  Confirm the identity of your client, and ensure the instructions you’ve received are accurate.

At Brinker Capital we are committed to continually improving our technology and security policies in an effort to stay ahead of current cyber threats within the industry. Together, we can take steps to help keep client information safe.

The views expressed are those of Brinker Capital and are not intended as investment advice or recommendation. For informational purposes only. Brinker Capital, Inc., a Registered Investment Advisor.