![\"Retail](\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\")
<\/a><\/p>\n<\/p>\n
Cybercriminals are increasingly employing social engineering tactics to catch people when they\u2019re exercising what psychologist Daniel Kahneman calls\u00a0\u201cSystem 1\u201d thinking: A mode of cognitive processing characterized by making quick decisions and judgments based on patterns and experiences.\u00a0<\/p>\n
Many of us have shared the following experience: You\u2019re going about your day when you receive a text saying your package from Amazon couldn\u2019t be delivered and you need to log into your account to resolve the issue. The thoughts that cross your mind in response could range from, \u201cI\u2019d better get this handled,\u201d to \u201cWait, did I even order anything from Amazon?\u201d to \u201cHold on, is this legit?\u201d<\/p>\n
In a perfect world, we would all pause to question the validity of the text message. But for many of us, ecommerce is so deeply engrained in our lives that it\u2019s not uncommon to receive packages we don\u2019t even remember ordering. Socially engineered attacks are particularly effective during peak shopping seasons, when consumers are even more busy and relying on \u201cSystem 1\u201d thinking, but consumers and retailers alike must stay vigilant year-round.<\/p>\n
This is especially pertinent as bad actors increasingly leverage artificial intelligence (AI) to carry out more sophisticated attacks at a higher volume. One study found that IT leaders have observed\u00a0AI-backed phishing attacks increase 51%. Additionally, the\u00a0FBI recently issued a warning\u00a0that cybercriminals are using generative AI to make the language in their attacks more convincing by eliminating some of the telltale signs of a scam, like spelling and grammatical errors.<\/p>\n
Below, we\u2019ll explore the cognitive biases that make socially engineered attacks successful, followed by strategies consumers and retail application developers can use to enhance security.<\/p>\n
The 5 Biases Behind Social Engineering<\/strong><\/h3>\n1. The halo effect.
<\/strong>The halo effect refers to people\u2019s tendency to trust brands they have a positive impression of.\u00a029% of phishing attacks\u00a0exploit this bias by posing as a trusted entity to lure in unsuspecting consumers. A notable example of this is the\u00a0American Express email phishing scam\u00a0that tricked cardholders into opening a malicious email attachment to gain access to their accounts.<\/p>\n2. Hyperbolic discounting.
<\/strong>Hyperbolic discounting refers to humans\u2019 preference for smaller, immediate rewards over larger, delayed rewards, which is\u00a0what makes discounts so irresistible. Cybercriminals exploit this bias by creating fictitious deals, like when scammers\u00a0launched a series of phishing campaigns\u00a0to steal consumer data under the guise of shopping deals.\u00a0<\/p>\n3. The curiosity effect.
<\/strong>Cybercriminals take advantage of consumers\u2019 curiosity by presenting them with information that piques their interest in an effort to get them to divulge their private information, like the\u00a0fake delivery notice phishing scams\u00a0discussed previously.\u00a0<\/p>\n4. The recency effect.
<\/strong>The recency effect refers to people\u2019s tendency to focus their attention on urgent or recent matters. Cybercriminals have capitalized on this bias by sending\u00a0out fake Box notifications\u00a0alerting users that someone is trying to share a file with them, compelling them to take immediate action.<\/p>\n5. Authority bias.
<\/strong>Authority bias taps into people\u2019s tendency to attribute credibility and validity to entities they perceive to be in a position of authority. Bad actors have been known to distribute phishing emails\u00a0impersonating organizations such as the U.S. Supreme Court, or even peoples\u2019\u00a0bosses.\u00a0<\/p>\nShopping Smart: How Consumers can Avoid Socially Engineered Scams<\/strong><\/h3>\nBeing cognizant of the biases above is critical to avoid falling prey to socially engineered scams. These attacks rely on \u201cSystem 1\u201d thinking, so carefully reading emails and text messages, double-checking that URLs are legitimate and pausing to think before sharing personal information goes a long way in avoiding these attacks.<\/p>\n
Consumers should also enable multi-factor authentication (MFA) and opt for strong authentication methods, ideally those that are passwordless (more on this shortly), whenever available. Additionally, as AI-powered attacks become more common, consumers need to educate themselves on what these types of scams look like, whether it\u2019s advanced phishing emails or hyper-personalized spear phishing attacks.<\/p>\n
The Application Developer\u2019s Role in Bolstering Security<\/strong><\/h3>\nWhen it comes to preventing socially engineered attacks, much of the responsibility lies in the hands of retail app developers. It\u2019s up to them to set consumers up for success by providing robust authentication methods that are easy for users to opt into and use.<\/p>\n
Passkeys are a user-friendly, phishing-resistant authentication method that eliminates the need for passwords by verifying a user\u2019s identity via cryptographic key pairs. In fact, testing conducted by Google revealed that passkeys have a\u00a050% higher success rate and enable logins twice as fast\u00a0as password-based systems. In addition to providing better security, passkeys also improve the user experience (UX) by reducing friction, which is why\u00a0the world\u2019s largest online retailer, Amazon, has implemented them.<\/p>\n
Providing MFA options is another way retail app developers can secure consumer information. Magic links, for example, let users further verify their identity by simply clicking a unique, time-sensitive URL. For an added layer of security, app developers also can enact step-up authentication as part of their MFA strategy, requiring extra verification before sensitive actions like high-value cart transactions. Both passkeys and magic links make it significantly more difficult for attackers to access consumers\u2019 accounts, even if they\u2019ve already successfully phished their passwords.<\/p>\n
Socially engineered attacks in retail aren\u2019t going anywhere. They take advantage of the very cognitive biases that make us human, and that\u2019s precisely why they\u2019re so effective. These scams will only become more frequent and successful as cybercriminals increasingly leverage AI to carry out their digital assaults.<\/p>\n
To thwart these attacks, consumers must be aware of their inherent biases and take every precaution they can to protect themselves, and it\u2019s up to retail app developers to provide them with ultra-secure and user-friendly authentication and MFA methods to do so. Adopting the strategies above is a win for everyone: consumers benefit from a more secure, seamless shopping experience, and retailers drive more sales by fostering trust and convenience.<\/p>\n
\nRishi Bhargava is Co-founder at\u00a0<\/em>Descope<\/em>, a developer-first authentication and user management platform. In a career spanning over 20 years, Bhargava has run product, strategy, go-to-market and engineering for category-creating cybersecurity startups and large enterprises. Before Descope, he served as VP of Product Strategy at Palo Alto Networks, which he joined via the acquisition of Demisto. Bhargava was a co-founder at Demisto where the company pioneered the \u201csecurity orchestration\u201d category before being acquired. Prior to Demisto, he was VP and GM of the Datacenter Group at Intel Security and launched multiple products at McAfee (acquired by Intel).<\/em><\/p>\n<\/p><\/div>\n
<\/strong>The halo effect refers to people\u2019s tendency to trust brands they have a positive impression of.\u00a029% of phishing attacks\u00a0exploit this bias by posing as a trusted entity to lure in unsuspecting consumers. A notable example of this is the\u00a0American Express email phishing scam\u00a0that tricked cardholders into opening a malicious email attachment to gain access to their accounts.<\/p>\n
2. Hyperbolic discounting. 3. The curiosity effect. 4. The recency effect. 5. Authority bias. Being cognizant of the biases above is critical to avoid falling prey to socially engineered scams. These attacks rely on \u201cSystem 1\u201d thinking, so carefully reading emails and text messages, double-checking that URLs are legitimate and pausing to think before sharing personal information goes a long way in avoiding these attacks.<\/p>\n Consumers should also enable multi-factor authentication (MFA) and opt for strong authentication methods, ideally those that are passwordless (more on this shortly), whenever available. Additionally, as AI-powered attacks become more common, consumers need to educate themselves on what these types of scams look like, whether it\u2019s advanced phishing emails or hyper-personalized spear phishing attacks.<\/p>\n When it comes to preventing socially engineered attacks, much of the responsibility lies in the hands of retail app developers. It\u2019s up to them to set consumers up for success by providing robust authentication methods that are easy for users to opt into and use.<\/p>\n Passkeys are a user-friendly, phishing-resistant authentication method that eliminates the need for passwords by verifying a user\u2019s identity via cryptographic key pairs. In fact, testing conducted by Google revealed that passkeys have a\u00a050% higher success rate and enable logins twice as fast\u00a0as password-based systems. In addition to providing better security, passkeys also improve the user experience (UX) by reducing friction, which is why\u00a0the world\u2019s largest online retailer, Amazon, has implemented them.<\/p>\n Providing MFA options is another way retail app developers can secure consumer information. Magic links, for example, let users further verify their identity by simply clicking a unique, time-sensitive URL. For an added layer of security, app developers also can enact step-up authentication as part of their MFA strategy, requiring extra verification before sensitive actions like high-value cart transactions. Both passkeys and magic links make it significantly more difficult for attackers to access consumers\u2019 accounts, even if they\u2019ve already successfully phished their passwords.<\/p>\n Socially engineered attacks in retail aren\u2019t going anywhere. They take advantage of the very cognitive biases that make us human, and that\u2019s precisely why they\u2019re so effective. These scams will only become more frequent and successful as cybercriminals increasingly leverage AI to carry out their digital assaults.<\/p>\n To thwart these attacks, consumers must be aware of their inherent biases and take every precaution they can to protect themselves, and it\u2019s up to retail app developers to provide them with ultra-secure and user-friendly authentication and MFA methods to do so. Adopting the strategies above is a win for everyone: consumers benefit from a more secure, seamless shopping experience, and retailers drive more sales by fostering trust and convenience.<\/p>\n Rishi Bhargava is Co-founder at\u00a0<\/em>Descope<\/em>, a developer-first authentication and user management platform. In a career spanning over 20 years, Bhargava has run product, strategy, go-to-market and engineering for category-creating cybersecurity startups and large enterprises. Before Descope, he served as VP of Product Strategy at Palo Alto Networks, which he joined via the acquisition of Demisto. Bhargava was a co-founder at Demisto where the company pioneered the \u201csecurity orchestration\u201d category before being acquired. Prior to Demisto, he was VP and GM of the Datacenter Group at Intel Security and launched multiple products at McAfee (acquired by Intel).<\/em><\/p>\n<\/p><\/div>\n
<\/strong>Hyperbolic discounting refers to humans\u2019 preference for smaller, immediate rewards over larger, delayed rewards, which is\u00a0what makes discounts so irresistible. Cybercriminals exploit this bias by creating fictitious deals, like when scammers\u00a0launched a series of phishing campaigns\u00a0to steal consumer data under the guise of shopping deals.\u00a0<\/p>\n
<\/strong>Cybercriminals take advantage of consumers\u2019 curiosity by presenting them with information that piques their interest in an effort to get them to divulge their private information, like the\u00a0fake delivery notice phishing scams\u00a0discussed previously.\u00a0<\/p>\n
<\/strong>The recency effect refers to people\u2019s tendency to focus their attention on urgent or recent matters. Cybercriminals have capitalized on this bias by sending\u00a0out fake Box notifications\u00a0alerting users that someone is trying to share a file with them, compelling them to take immediate action.<\/p>\n
<\/strong>Authority bias taps into people\u2019s tendency to attribute credibility and validity to entities they perceive to be in a position of authority. Bad actors have been known to distribute phishing emails\u00a0impersonating organizations such as the U.S. Supreme Court, or even peoples\u2019\u00a0bosses.\u00a0<\/p>\nShopping Smart: How Consumers can Avoid Socially Engineered Scams<\/strong><\/h3>\n
The Application Developer\u2019s Role in Bolstering Security<\/strong><\/h3>\n
\n