The art of deception can be traced back to the beginning of time and the capabilities associated with deception exist within all human beings. From the slight-of-hand used by magicians, to the sleight-of-tongue used by politicians and pundits, to the sleight-of-mind that accompanies cognitive bias, we are all wired to deceive and to be deceived.

In the digital world, cybercriminals prey on the trusting nature of human beings by utilizing social engineering tactics rooted in deceptive techniques to convince an unsuspecting person to perform a potentially harmful action such as granting access to a company network or customer database. But the question remains, why do so many of us fall for tricks and deceptions, even after we understand how they work?

To answer this question, we must first look at innate human nature. The desire to help others exists within our nature, so if a colleague sends a message asking for help to log into their computer or get onto the company network for an important business purpose, of course we want to assist them to ultimately help the company and to help them meet their objective. This is just one example of how deceptive techniques can be utilized to trick people.

And it is not limited to someone within the Information Technology (IT) department who can fall for a deception or trick. Anyone can be a victim due to distractions, the appearance of a legitimate request or just the mere trusting nature of people.

Humans are by no means perfect or free from flaws. Biases exist, people are judgmental and even continuously repeat the same mistakes. Sometimes people are stressed or distracted, sometimes they are tired or just overworked. Most employees are juggling between home and work, leading to cognitive overload.

Cybercriminals have a deep understanding of these emotions and situations. They design social engineering attacks that elicit human emotions, which subsequently spark a reaction such as clicking a link, visiting a website, entering credentials, downloading an attachment or application.

Phishing remains one of the most common and effective initial attack vectors, which utilizes the art of deception. Data continues to show that attackers maintain the use of tried-and-true techniques as the means to successful attacks.

Cloud security company Cloudflare has a plethora of visibility into threats of all kinds – including email. They analyzed 13 billion emails that were sent From May 2022 to May 2023 to look for commonalities in threats. The result is their first ever 2023 Phishing Threats Report. According to the report, the analysis showed that threat actors continue to use the same techniques (because they continue to work) to trick victims into giving up credentials, downloading and opening files, and more. Some of the top threats included deceptive links, brand impersonation, and identity deception.

Organizations need to elevate their users’ understanding of how these tactics are used and the scams that exist via security awareness training and simulated phishing to help address human risk management. By educating them, users can spot potential phishing scams that may be designed to trick users through the use of identity deception.

Humans are smart, adaptive, and can be educated over time. However, we are also emotional, impulsive and flawed creatures. Organizations must recognize these strengths and weaknesses and practice empathy for building a robust culture of cybersecurity and a workforce that is capable of recognizing and eliminating deception.