Security awareness

How Hackers Use Fear and Urgency to Get Your Information

Dan Virgillito
June 2, 2017 by
Dan Virgillito

Your PayPal account is frozen. Provide documents or lose it. The IRS is saying there is an error on your tax return, click the link to resolve it. Your loved one is in an emergency, open this attachment for more details. Social engineering is all around us.

Hackers once used to trick people with funny emails or lotto wins before unleashing their attacks. Lately, they have adopted smarter tactics based on human emotion to infiltrate devices. Moreover, it is going well for them compared to the attempts they make to hack devices (why get into the complex technicalities of directly penetrating a device when they can ask the device owner to do it for them?).

Role-appropriate training to your entire workforce

Role-appropriate training to your entire workforce

Get a free year of cybersecurity skills training with your security awareness training purchase.  

Emotions Commonly Exploited by Social Engineers

It is important for people to understand the distinct characteristics of the emotions that social engineers commonly manipulate. The manipulation creates a route for a complicated attack, which is why it is often purported as the reconnaissance phase of social engineering. In most instances, the following emotions make people give in:


Fear is one of the strongest human emotion. Imagine your bank account being hacked, and you go into panic mode instantly. That makes you more susceptible to manipulation and suggestion as your mind opens up to trying anything to get out of the stressful state.

Social engineers do a great job at projecting the idea that if you do not take the action they are requesting, you will be in real trouble. Also, they play subconscious cues that are interjected by the brain a mix of intellect and emotion to make the victim perform the task quickly.

As an example, some cybercriminals will present a message on your web browser claiming that a piece of child pornography was found on your device, and then display one. The message, purported as if it came from a law enforcement agency, pushes users to pay a certain amount to make it go away. People, naturally, are manipulated and start fearing. The gross attack has even made one person commit suicide.


Urgency, which depends on the victim's inclination or empathy to rectify a problematic situation, is an effective factor in social engineering attacks. The emotional impact is so strong that people start disproportionately focusing on urgency cues, usually ignoring other elements of a social engineering attack such as spelling, grammar, and source. Hackers also use scarcity in their offer to encourage people to act quickly.

Attacks that capitalize on urgency are often disguised as an instant message, email, or even a voicemail or call from a superior law authority or a senior executive at a corporation. Because people are taught to be obedient to the instructions of authorities, they are not conditioned to check the validity of the communication and often comply with the requests, falling victim to a social engineering attack.

For instance, an email with the following subject line – urgent email password request change – is clicked on by 28 percent of the 100 people it is sent to, indicating how urgency makes them fall for phishing attacks. Then there's the BEC (business email compromise attacks) set up by hackers who pretend to be important C-level executives. These emails ask employees to quickly conduct high-value transfers to ensure that suppliers and other third-parties are paid on time, but in reality, the money goes into compromised bank accounts.

Due to these factors, humans are often labeled as "the weakest link" in the information security chain. It does not matter what antivirus software is installed on your computer; if you trust that phone call or email for what it says and follow instructions without doing background research over the legitimacy of the correspondence, you expose yourself to whatever risk is presented by the adversary.

Protecting Your Information from Social Engineers

Social engineering is a growing cyber-crime that continues to exploit people's gullibility and naivety. Here's how to keep yourself safe from these menacing attacks:

1. Think before You Click

If a message pops up in your web browser or you receive an email from someone claiming to be from law enforcement, don't click on attachments immediately. Take out a few minutes to scrutinize the message as well as the sender's information. Often the message seems to have arrived from a legitimate source, but when you check the address, it may be a fake one. Keep an eye out for suspicious sub-domains, misspellings and @ labels.

2. Ask Questions

The next step in protecting your information involves ridding your mind of all the "conventional advice." You do not have to be reluctant when it comes to asking questions and demanding face value explanations regardless of whoever is claiming to be the entity over the phone and in emails. Many individuals fear being called "stupid" by demanding a supposedly foolish explanation, but it is important to verify the legitimacy of the correspondence when there are personal doubts.

3. Bookmark Legit Websites

Trust is earned on the internet, and it is quite important in the case of new websites. Links to a website that has a similar looking URL like the one you regularly visit should be checked. Instead of clicking on its link directly, go to the bookmark and do your research there. Trusted websites often have built-in security features. Some of them may even provide information about social engineering attempts being carried out using their names to help visitors safely navigate their pages.

As adversaries deliberately target traits of people such as good faith, trust in law enforcement, willingness to help and insecurity, it is very challenging to identify a social engineering attack and combat it. The ultimate protection requires a certain level of distrust towards external organizations and persons, as well as whom we know.

It would also be beneficial to check what kind of personal details you share online, and with whom. Also, check your credit score and financial statements frequently to ensure that you are not a victim already.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

While technical precautions may not be available in case of social engineering, smart decision making can help prevent problems down the road.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.