Cyber Crime Junkies
Socializing Cybersecurity. Translating Cyber into business terms. Newest AI, Social Engineering and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manages cyber risk.
Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast
Cyber Crime Junkies
Mind Games: Exploring Brain Reactions in Social Engineering
Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-446
Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com
Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.
🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!
Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/
Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast
Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!
Cognitive Neuroscience-Brain Reactions During Social Engineering.
Summary
The conversation explores the power of social engineering in cybercrime and the brain's reactions during phishing attacks. The guest, Dr. Abby Morona, discusses her background in behavioral analysis and her work as the Director of Education at Social Engineer. She explains the limitations of nonverbal communication in deception detection and the use of nonverbal mimicry to create cooperation and elicit information.
The conversation highlights the importance of understanding human decision-making and the biological components behind it. In this conversation, Dr. Abby and Dino Mauro discuss the psychology behind social engineering and how understanding human behavior can help protect against cyber threats. They explore the concept of mimicry and how it can be used to create cooperation and closeness. They also delve into the effects of stress on memory and decision-making, and the importance of pausing and breathing before responding to cyber threats. The conversation highlights the overlap between psychology and social engineering, and the applications of this knowledge in negotiation, sales, and marketing.
Takeaways
· Social engineering is a powerful weapon in cybercrime and the biggest breaches often involve social engineering tactics.
· Nonverbal communication is not a reliable indicator of deception and there is no single behavior that can accurately detect lies.
· Nonverbal mimicry, when done subtly and within an optimum timeframe, can create cooperation and facilitate harmonious relationships.
· Understanding human decision-making requires considering both psychological and biological components.
· Creating awareness and educating employees about social engineering attacks is crucial for cybersecurity. Understanding human behavior is crucial in protecting against cyber threats and social engineering.
· Mimicry can be used to create cooperation and closeness, leading to more effective information solicitation.
· Stress can impair memory and decision-making, making it important to pause and breathe before responding to cyber threats.
· Psychology plays a significant role in social engineering, negotiation, sales, and marketing.
· Partnering academics with practitioners can lead to the application of scientific knowledge and real impact.
Chapters
- 00:00 The Power of Social Engineering in Cybercrime
- 03:17 The Limitations of Nonverbal Communication in Deception Detection
- 20:27 Creating Cooperation through Nonverbal Mimicry
- 25:12 Understanding Human Decision-Making
- 26:35 Educating Employees about Social Engineering Attacks
- 27:02 Understanding Social Engineering
- 30:17 The Effects of Stress on Memory and Decision-Making
- 33:36 The Psychology Behind Social Engineering
Topics: cognitive neuroscience, Brain Reactions During Social Engineering,cognitive science,neuroscience, social engineering, cybercrime, brain reactions, phishing, nonverbal communication, deception detection, nonverbal mimicry, cooperation, human decision-making, social engineering, psychology, mimicry, cooperation, closeness, stress, memory, decision-making, cyber threats, pausing, breathing, negotiation, sales, marketing,neuroscience methods,science of social engineering,social engineering techniques,security awareness,human hacking,what is social engineering,neuroscience and social engineering,neuroscience of social engineering,how brain reacts in social engineering,brain reactions in social engineering,brain reactions during social engineering,brain reactions during phishing, understanding science in social engineering, science of social engineering explained, psychology of social engineering explained, how neuroscience hacks humans, the science behind hacking humans, hacking humans using science,
Dino Mauro (00:00.514)
The biggest breaches in the past several years have involved social engineering. We've reported on it. We've talked about it from wishing to voice solicitation to AI driven deep fakes. Social engineering has proven to become the most powerful weapon in the cyber criminals arsenal. One of the best quotes I've ever seen was by Bruce Schneier. And it said, if you think technology can solve your security problems, then you don't understand the problems and you don't understand.
technology. It's because the problem lies in us. The problem lies in people. People, our employees are the highest risk every time we get online and the art and science of remaining vigilant each time we get online and educating our employees why it matters is what this is all about. So today we're going to talk about how the brain reacts in and when
being attacked through social engineering. Brain reactions during phishing and what you as a leader can do to educate your employees to remain vigilant and aware. This is the story of Dr. Abby Morona and cognitive neuroscience. Brain reactions during social engineering.
Dino Mauro (01:28.654)
Join us as we go behind the scenes of today's most notorious cybercrime. Every time we get online, we enter their world. So we provide true storytelling to raise awareness, interviewing global leaders, making an impact and improving our world, translating cybersecurity into everyday language that's practical and easy to understand. We appreciate you making this an award winning podcast by downloading our episodes
Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and now the show.
Dino Mauro (02:18.456)
Thank you so much for having me. It's a pleasure to be here with you. Well, so tell the listeners a little bit about yourself and about your specialty. Yep. So as you said, I have a PhD in behavioral analysis, but I'm technically a behavioral scientist. I work for social engineer as their director of education. So I basically input the science. I make sure that all of the training is science -based.
I do my own research as well as I'm a member of multiple international research groups. I'm a nonverbal communication coach. And I work internationally with multiple research groups, both in the research itself and implementation of the research into practice. My specialty is nonverbal communication, but it's also understanding the mechanisms behind human decision making.
Because we see everything as kind of this input, this output. under underlying everything, underlying cybercrime, underlying the use of drugs, underlying business, underlying relationships, it's not just input output, there's mechanisms involved. Why do people make the decisions they do in every single industry? I mean, it's understanding. There's biological component, not even a psychological component. There's a biological component.
for why people cause data breaches, right? Why social engineering is effective, right? Why businesses, why people engage with new partners, right? Like in sales, in business, in partnerships, same thing in personal lives, right? In relationships. So absolutely fascinating. So you have quite a history. You were involved...
having published works, I believe at the age of 19, you worked with FBI agents, you began in deception, right? And then you migrated over that. Walk us through that. Tell tell the listeners about that. So, I mean, I knew what I wanted to do for a very young age when I was in A level. When I found psychology, it kind of saved me. It gave me something that I for the first time ever felt passionate about. And I realized, you know, as soon as
Dino Mauro (04:42.868)
I actually failed my first year in psychology and they let me redo it. then when I actually put... That's a fascinating tidbit right there. Yeah. So that's an interesting, like, who would have guessed that? So I thought like you wouldn't have even had to study and you would have gotten straight A's. Well, you can't get straight A's if you don't study or turn up to the lessons. And that was my problem. And then I redid
the first year and the second year all at once. And I realized, okay, well, maybe I should try this education thing. And then when I put the work in, I realized I loved it. know, I really straight away, when I put that work into psychology, it just was everything that fueled me. And since I found that I knew straight away what I wanted to do. And I remember saying to myself, you know, one day I'm going to be a professor in behavior analysis. And then everything from
I knew that that was my end goal. So it makes it really easy. I say easy, but it makes it easier to work for something when you know where your end goal is. it's a bigger vision. It's exactly what we tell people that want to enter into the cybersecurity field because there's such great demand for varying skill sets. And there's so many people that want to join the field, right?
Hopefully the ones that want to join want to join for the right reasons, right? Because they want to protect organizations. They see what's happening. They see people work for generations and then have to close shop because of data breaches, right? And it's terrible. So how do we actually protect organizations and those brands? But when we're talking to them, we're talking to experts like you that are coaching people, providing guidance, mentoring them, what they always say is kind
have that high end, you have to give it some thought. Like what do want to be at the end? Like talk to somebody that does that. What's the day in the life look like? Right? Like what do you want to do? And if you can identify yourself and say, I think I'd find fulfillment in doing that every day. I think I would want to get up and do that every day. Then everything else is just obstacles on your way to the path that you know you're going to no matter what. Right? Yeah, I couldn't agree more. You know, this
Dino Mauro (07:02.338)
I think there's such a push now in society to make people go to uni and people just kind of go to figure out what they want. And uni is the time kind of to figure out what you want, but you're going in and you're agreeing to pay a lot of money and a lot of time, you know, take some time and figure out what fuels you. And originally, I mean, I watched Lie To Me and as everybody, you know, I was obsessed with body language and deception detection. And
I have admired Paul Ekman's work for such a long time. And it was his studies that really pushed me into the field of behavior analysis. Who is that? Can you remember his name? Paul Ekman. Paul Ekman. Yeah. So he was originally inspired as everybody is by the work of Darwin and emotions in man and animals. And he went out and tested those predictions of our behaviors universal.
And I thought it was so incredible that human beings are so complex and individual, yet we can still identify these universal patterns. when I went and did my undergrad, and I was always taught from a very young age, nothing is given to you. My dad was very much like everything that you get, work for. No one's gonna pick you back up. You have to pick yourself
Right. So I went into uni with the mindset of like, well, if I don't do it, no one's going to do it for me. So straight away, I found a lecturer who taught something that I really enjoyed. And I had an idea for project and I came to him and I gave him my idea. And he just said to me, you know, have you told anyone that? I said, no. And he just said, we're done. He said, don't say that because that hasn't been done before. He if you want to do that, I'll help you and we'll do that together. And then we worked through this research project.
A lot of lecturers could have taken that idea and gone, oh, no, you know, you're a student and then run with the idea themselves. And we worked on it. And this is how we got Joe Navarro involved. We kind of, I think he either came to Dave or Dave went to him with the idea and then he was involved in the project. And then it got published. We started working on it when I was 18 and research takes a long time. I learned within that first paper, I learned so much.
Dino Mauro (09:23.118)
And then at the end of is that body of work called? So the research I originally did, and we published two papers, we developed a technique. There's a technique called sequence analysis, which is looking at the patterns, how patterns progress. If I do A, will I go to B to C to D, or will I go A to C to B to D? It's all about what's the sequence. And we wanted to apply that technique to nonverbal behavior to see
rather than looking at individual indicators, could we look at sequences to tell us something more? So rather than saying, well, he showed one behavior, so he must be in distress. What if he shows a particular sequence? What does that tell me about what he's feeling? And it's a much more reliable technique. It's really effective. And then we published a couple more papers and I thought, okay, well, I want to be a professor in behavior analysis, but I want to work in the FBI.
As soon as I published my first paper and I realized that what I discovered was known before I discovered it, I was just hooked to research because I think it's incredible. You can ask a question and then no one knows that answer until you do the research and then it's known. And I just think that is, it's so incredible to contribute to scientific understanding.
I didn't do well. You're truly producing something that does not exist in the world. Yes, I are truly creating something that is a question, right? Like that somebody has. They can Google it and the answer is not there, right? But if we do the research, right? Yeah, you can. You can combine A and B and C and all of that come to a conclusion and then there's the answer like it's
It's absolutely needed. More people need to do these things. Yeah. And with something as complex as human behavior and human decision -making, to be able to apply sequences and equations and this technique and then have an art set at the end, I just thought was incredible. And I didn't do my masters. I applied for a PhD. I had, I wanted to do a PhD, but it was a
Dino Mauro (11:43.246)
jump from an undergrad and I didn't think that I kind of had it in me. I was too scared. But my lecturer at the time just said, you have to do it. And I got the PhD scholarship with Crest, which was the, or is the Center for research and evidence and security threats. And I got to work with some incredible technology. mean, I got, I had three motion capture suits
you know, for someone studying nonverbal behavior. how perfect is that? know it was. And before I started that PhD, I remember a couple of years before reading a research paper that had come out using these XN motion capture suits by my supervisor or my old supervisor. And we were talking about, how incredible it would be to be able to do research with that. And then the PhD scholarship got offered and it was with these motion capture suits. And he just said, you
How could you not apply to this? It's handwritten for you. Explain to us what these motion capture suits do. So what the motion capture suits do are, there's a lot of different types of suits. And the ones that I use were XN motion capture. So what it allowed me to do was put these kind of trackers almost, but signal boxes on the body as sensors.
but they're not UV ray sensors, they're completely wireless and they're completely camera -less. And what it does is it picks up 17 parts of the body and then it creates a human figure. And because it's on the hands, the feet, the knees, the thighs, the hips, the chest, it creates a really realistic human body. So when you're looking at non -verbal communication, rather than just saying arm movements, you can really
deep into it, okay, well this hand movement slightly and you can look exactly at, you know, what inch that part of the body moved and what timeframe and it allows you to do such incredible work that you can't do with video analysis because it removes the human error. So if I put Mark in one of these motion, I'd be able to tell if he's lying to me. Yeah. So good question. That is what I started my PhD to
Dino Mauro (13:57.998)
to look at the nonverbal communication associated with deception. Because of Pull Up with Waf, I thought, how incredible. And then I started researching more into it. And I realized, you know, there is actually no research that exists that supports nonverbal communication as a deception detection technique.
So what you're saying, so yeah, so you just said it extremely eloquently and in an English accent. So I'm going to say it the way that we say it. So what you're saying is there's no proof of when someone's lying, like because everybody's, there's so many variations, right? Like there's no universal proof. Nope. There's none. So that's big because I think most people believe there is.
Most people believe, if I touch my hand, they're gonna think I'm lying. Or if I have my arms crossed, they're gonna think that I'm not listening. like there's all these kind of urban myths that are out there. And there's a lot of blogs, a lot of articles out there online about that. Yeah, it's the most common question that I get asked. Every time I say I'm a behavior analysis, they go, so, you know, can you tell me when I'm lying? And it's very misunderstood because I wanted
be true, because it would be great if it was true. But yeah, the floor is the foundation of it. There's there's absolutely no way to detect if someone's lying through nonverbal communication. Because lying isn't a manifestation. You know, lying is a thought process. You can't detect thought processes through behavior, you can detect emotion, which is usually underlying the thought process, you can detect a high degree of stress.
Also, when people lie, they have a lot of cognitive overload. Just think about how costly it is if you're being asked something and you're trying to create a story. You're trying to, one, create a story, two, make it in line with previous things you've said. You're also trying to control your behavior. You're also trying to think about what's plausible. Yeah, your mental processor is going very, very rapidly. Yeah, exactly. And it creates this cognitive load. So the behavior then slips. And this is the theory behind it. It's called emotional leakage.
Dino Mauro (16:14.434)
But that's exactly what it is. It's emotional leakage. If you ask me something and I'm really stressed, distressed, I'm angry, I could be lying. Or it could be something entirely irrelevant. It could be something at work and something that you're stressed about, worried about, whatever. And it might still give the same manifestations. not everybody that is lying has those manifestations because it's attached to the emotion
If people believe they're a And sociopaths that have like no empathy and they won't trigger a lie detector test. They won't because to them they have no, there's no connection, there's no emotional connection. Yeah and even someone who is really very healthy and well formed, they believe they're a liar and it's not very difficult to self -delude. know, human beings, want to believe our own lies. It's so much easier to self -delude than you
And if you believe you're in lie, you don't have those emotional indicators. And people believe things like the polygraph and what the polygraph does is test galvanic skin response. Basically the electricity of your skin, the electrical conductance of your skin, which is associated with the nervous system response of stress. But that's it, stress. Stress is associated with lying, but it's not necessarily
consequence of it and it's not necessarily a direct relationship. It's just very misunderstood and this was something that I learned quite early on in my PhD quite luckily. So it's an indicator like things like the polygraph. That's what I was going to ask you about next. What about the polygraph? But so polygraph tests even though they've advanced through the years what your research has found is that it's it can be an indicator of stress based on
the skin reaction, but that's it. Like that's probably not admissible in courtrooms yet. Yes. So polygraphs, all they test is basically your heart rate, your skin conductance, and blood pressure sometimes, you know, all of those things are associated with stress, but being accused of something can have the same physiological reaction as have been, as being the person that perpetrated
Dino Mauro (18:36.192)
If you are accused of something, there's stress associated with people thinking you are guilty, just as there is with being guilty. And again, if you're stressed because of something else, it's impossible to say what the cause of that stress is. So there is no, there is absolutely no study out there that has ever found a single behavior that is indicative of deception.
What they will tend to say is in this group of truth tellers versus this group of liars, this behavior was more common, but that really doesn't mean anything because again, it's not to do with the lie. There's so many other mechanisms involved there and it just isn't, I mean, if there was one of lying, I think everybody would utilize that. So then, so in your research, so then you migrated your, your field of study then away, away from deception.
Because you're like, well, that would be really cool if we could do that. Create, invent some new devices, have like the truth telling machine. That would be great. But you figured out you couldn't do that. So you migrated. Yeah. Yeah. Until I figure out the truth telling machine. I thought I'd my energy into something else. OK. So I wanted to stay within this investigative interviewing sphere. And instead of deception detection.
Techniques rely on rapport building and creating cooperation. Because what we really want to detect if they're lying is just information. We want to be able to get all of the information to then assess, this correct? Does this match other people's stories? Is this actually what happened? And the way we get information from people is by making them want to tell us. We have to use positive techniques. So I looked at cooperation and positive influence, but
I wanted to do something slightly different. And the issue here is as well, if you're preserving someone, they always act really unnaturally. If you're assessing someone's behavior, they act very unnaturally. I wanted to do something that was non -invasive. So I thought, instead of assessing someone else's behavior, and instead of recording their behavior, what if we change our own behavior? Can I make someone cooperate with me without doing anything to them and just changing the way that I interact with them?
Dino Mauro (20:56.926)
which is where I came across nonverbal mimicry. And nonverbal mimicry is basically copying the nonverbal behaviors of the interaction partner. It's not doing them at the same time, that's mirroring and that's synchrony. It's doing them slightly afterwards. So walk us through like people understand what mirroring is, right? What mirroring is, is when someone's speaking with you and their toes are pointed towards you and their arms are open.
you kind of do the same thing. So that way there's a belief that they will feel more comfortable with you. But how is nonverbal mimicry different than mirroring? So it's similar. They're all within this kind of sphere of synchrony. Nonverbal mimicry has an evolved path. Basically, monkey see monkey do, it used to be called. You you've seen someone act and it teaches you how to
would see someone respond in a situation and then individuals who had this perception behavior link where they would see and they act, they were more likely to survive because they mirrored other people. And this kind of evolved. So people with this tendency were more likely to survive. So it stayed in the population. But then as society changed towards more social groups, the purpose of mimicry kind of changed into
facilitating harmonious relationships. So now people that have this tendency to mimic, it facilitates harmonious relationships. Two of my questions were, one, why? Why does it facilitate? Because it's great to say, you we talked about the input output, but what is the mechanism behind? Why does mimicry create familiarity? Why does it create cooperation? And can I use mimicry to create informational dissertation?
So what I did was obviously, you know, dive deep into the literature. And I did a series of studies looking at how we can use mimicry. And I did them in different relationship types of people that had complete strangers. I did it in romantic partners, I did it in acquaintances, I did it in investigative interviews. And what we found was that mimicry works through the process of closeness. So mimicry works.
Dino Mauro (23:24.386)
because it facilitates interpersonal closeness between that other person. We don't know exactly why. Again, it's an automatic unconscious thing. You don't see someone copy your behavior. So say, you're sat in a certain position and then you move your leg. And then a couple of seconds later, I moved from the position I was in and I moved my leg to be in the same position that yours is
Why would that create? That's important, right? Yeah, that's important. The timing of it is important, right? If you do it immediate, then they might catch you doing it. And if they're aware that you're trying to mimic them, then it loses its effect, right? So it has to be, and it can't be so delayed that it doesn't have the effect. So what have you found? So mimicry creates cooperation through the process of post -nets. But how it does this?
And it's within this timeframe. So if you mimic after 10 seconds, and then say they cross their leg over 10 seconds later, you cross your leg over, it stops being mimicry because it's gone past that optimum time. If they do it, and then you do it instantly, they recognize that you're doing it within one to three seconds of doing it becomes obvious. And just as with any influence tactic.
If people recognize that you're doing it purposefully, it has the opposite effect. It makes them dislike you. And that's what previous researchers found. So what I did was go into this optimum range of kind of three to seven seconds, because obviously it's difficult. You don't want to create cognitive load. see someone do something, you're like one, two, three, four. It's not going to work.
But you can kind of get more natural at anything. mean, nonverbal communication is a skill. I spent 24 hours in total training each of my Confederates who are people that are in on a study. I had three research assistants and each of them I trained in nonverbal mimicry. And, you know, 24 hours of training is a long time just to copy someone's behavior, but you have to do it right. And it has to become almost automatically that you don't think about
Dino Mauro (25:40.982)
And within this up to seven seconds. So when doing this, three to seven seconds is is fine thing. So how does this because we are getting there like, yeah, how does this relate? So so what you're saying is this really is very effective in eliciting. And so when we think of social engineering, we think of phone calls, we think of phishing emails, we think of communications.
And then we think of like eliciting information. So you always see on television on shows like the good cop, bad cop, right? Like one guy comes in, he throws over the chair, I'm going to get the truth out of you, blah, blah, blah. He starts yelling at him. The other guy's, hey buddy, do you want a cigarette? Do you want some coffee? Like it'll be okay. He's just grumpy today, you know,
But what your findings are is that is really in real life. That's very ineffective. Right. Interesting. Yeah. So so two things first regarding that is it's effective. What is the impact of this? So through the research, what I was able to do because I use motion capture suits and because of the understanding of nonverbal mimicry, I was able to create training profiles. You know, the goal of a social engineer is to elicit information.
They want your information, be it passwords, bank details, security information. They want your information. With this understanding, I created training for what part of the body need to be mimicked to create cooperation. Because we say mimicry, but what part of the body are you mimicking? If you scratch your head and I scratch my head, is that going to be as effective? So this information and knowing that it works through close nets, I was able to create these tailored
training profiles. And then I tested it out in information solicitation, we did kind of mock terrorist interviews. And we were able to collect more information using cooperation. And the final study of the PhD kind of relates to this good cop, bad cop. And we found that observing someone make has a very similar effect. If you observe someone mimic another
Dino Mauro (28:00.664)
you're more likely to cooperate with those two people. So even though good cop mimicking another good cop, yes, if you observe that as the person being interviewed, if you observe that that is creating a closeness and a willingness to more to cooperate more freely. Yeah, because we not only does mimic recreate closeness, mean, not only mimic, recreate cooperation, but closeness creates cooperation
So when you have it working effectively, now we know that it goes through closeness. If I create an environment that helps facilitate closeness at the same time, I can really optimize that effect. And because again, you can do it. So say I have investigator one and investigator two, they don't even need to worry about the interview in terms of their behaviors. They can mimic each other. And as long as it's subtle, it still has the same effect of cooperation.
Now you said about good cop, bad cop. The issue here is cooperation is very, very effective. We have evolved to be cooperative. So when we do cooperate with people, the reward network in our brain is activated because we are programmed that way. So the ventral striatum, the amygdala and regions of the orbital and medial prefrontal cortex for any neuroscience nerds out
Yeah, so what we're talking about the the amygdala the core part of the brain when the amygdala is hijacked, it essentially creates that cortisol rays in your blood and it creates that fight or flight. Right. And the neocortex is more rational calm. And that's the outer part. Is that fair? Yes. Yes. So when you're creating no, that's right.
Okay. But that's when we have stress and we're creating cooperation, these reward networks activated because that's what we want. When we create stress, we're creating cortisol in the brain. Cortisol is really, really dangerous. I mean, all of us, need cortisol and we need to have a certain kind of optimum level. We need to have a little bit of strength because for a memory to be created as well as a memory to be
Dino Mauro (30:17.62)
Our neurons basically have this electrical impulse and they need to pass on the impulse. If we don't have any cortisol, it's not charged enough that it can pass on the impulse. when we have too much. When we have too much, it's too charged. And what the neuron is to do is pass on the impulse but recharge. And that's how we collect and create memories. If we are having good cop, bad cop, and we've got one person creating stress, one creating comfort,
We have that comfort effect, but the fact that that person is getting strengths means their cortisol level is going to be raised. And yes, that other person is going to be their comfort zone. So they're going to want to give that other person that information. If we can't access our memories because we have too much cortisol in the brain, no matter how much we want to get that information, we cannot access if our brain says, I cannot get this memory. We're going to give them the information that we're going to give
So people even have difficulty, scientific difficulty in recalling the specifics when they are stressed. Yes. So when we're stressed, that's why, you know, it's not a good idea to try and work when you're cognitively overloaded or you're really, really stressed and you find it hard to do jobs that, know, you usually do really easily because it's hard to access that memory. Also,
You shouldn't take new things and stuff when you're really, really stressed because people say, you know, I forgot that information. I, you know, I went upstairs. I forgot what I came for. Did you forget, or did you not form it into a memory because you were too stressed just because something happened and we were there doesn't mean it was actually formed into a memory and stress can do that on both sides, forming the memory and retrieving the memory. when we are in an investigative. Yeah, I'm not disorganized. I'm just stressed.
Now I get it. you so much, Abby. You're welcome. So let's tie this to social engineering. when somebody is calling somebody and they are creating a sense of urgency or they're communicating somehow, whether through an email, a text, a phone call, whatever, and they're creating that sense of urgency, what's your position on that? Is that that they are creating that sense of stress?
Dino Mauro (32:38.612)
And so they're acting impulsively or stress is not necessarily the same thing. It's fear and emotion. They're obviously connected. But it doesn't mean that you can't access any information whatsoever. It means that that quality of the information isn't going to be what it could be because they're going to get bits and bolts, but they're not going to get that quality information. And that's what you want. And it's investigator what social engineers do. And, know, these, think they call them black hats. These
dangerous social engineers that really want your information, they want to do you harm. They know that the way our brain has evolved is that our amygdala and our limbic system is the first thing to be activated because it's very primitive. Whereas the prefrontal cortex and the cortex in general is kind of much later. So signals go through the amygdala and then they go to the prefrontal cortex. And it's like that system one, system two, you know, we think automatically with system
And then we go, Oh, hold on a second. Let me rationalize. that's where that prefrontal cortex comes into play. This is also why young children are very impulsive because that part of the brain isn't fully formed into a 25. So they act very impulsively because they haven't fully got that executive control yet. Also, psychopaths as well have very low activation in that prefrontal cortex. There you go, Mark.
That's what happened when I was dropped as a child. There you go. Yeah, you're lacking in free, free, it may have been the of the drop. There you go. Well, that explains so much. She's going to send you a bill for this too. This is better than fair. I'm an invoice as we speak. Yes, there we go. Send it to cybercrimejunkies .com. so in the social engineering
Right, have scammers, we've got black hat. And these are common. This is causing billions of dollars of damage every single year. It's actually trillions. It's a big deal. So there's a scientific element here, right? Like walk us through this. Talk to us. If we are thinking with the amygdala, which is the emotional center of the brain, we're going to act on emotion. And social engineers know
Dino Mauro (35:01.996)
they would do things to trigger this emotional center. And what they tend to do with these emails is they make them you have to act now. Because the issue is because we go through the amygdala first, the prefrontal cortex then says, slow down, let me think about it. If you act, I mean, if you just send an email, it doesn't trigger any emotion. And you say act now, it doesn't have the same effect because they'll just go, I don't care what
social engineers, need emotional elements. They'll play on something usually fair. They'll play on something that either makes you angry, you think that it's urgent, but they would trigger a negative emotion. So you just act now and that prefrontal cortex, know, is the part of the brain that... Yeah, a text that says, your child was in an accident. Please click this link to access the routing, whatever that is appealing to the sense of urgency.
Right. Yeah. But what you would rationally do is say, who sent me this text? You'd also say, is this spelt correctly? You know, what is the URL here? Because that's the prefrontal cortex, does that. If you act instantly on emotion and they say you have to act now, all of those signs, your brain isn't looking for them. They're just going, I have to act now and I'm acting on emotion. And, you know, it's, it's an evolved response. We need it because if we were in complete threat, if we were in
We don't have time to go, hmm, is this a threat? Because you you could get killed. So our ancestors evolved this ability to act instantly on emotion, but now we don't obviously live in those dangerous times. So we're kind of working against, working against our evolved responses. So even in, in some recent breaches that have involved like multifactor authentication fatigue, right? Where they just keep paying somebody.
Right? And what they're trying to do is they're trying to appeal to the sense of stress that's causing them and the relief of that stress will happen if they would just click it and let them in. And so they'll communicate somehow. They'll communicate somehow and say, hey, we're from the IT team. Can you just do this? It's all part of a resetting doodle power outage. It's OK. Go ahead and click
Dino Mauro (37:20.254)
And it triggers our amygdala to act fast so that way we can see. That is actually a slightly different process. That's really interesting. That is another tactic, but that's not amygdala focus because it doesn't trigger the emotion. That's another thing that social engineers do. We have this thing. It's basically like willpower fatigue. Why do think we go to the supermarket? There's all the like chocolates and sweets by the till because we exhaust our
so we say no, no, no, no, no. The more we say no and really have to activate that willpower, the more exhausting it gets each time we have to do it. That's why when you shop, by the time you get to the end, you've already said no to everything else. You're like, well I'll just grab a chocolate then. it's willpower. I said no to the cakes and the cookies and all that other stuff. I'll just grab it. Yeah. Because you're now exhausted from that mental strain, which is why it's so much easier now to get chocolates from.
you know, from the tails. Right. That's a play on the social engineers. They exhaust your willpower of saying no. So when it comes to that point, you're already quite exhausted from activating that executive functioning because you've had to think about it each time and resisting something does take a lot of mental effort. And it is much easier to just say, okay, I'll do it and give in. what's the science behind that then is that that's not, that's not a mcdillard.
What is that some type of fatigue? is that? Yes. So that's, mean, I guess it's cognitive fatigue as well as willpower exhaustion. Now willpower exhaustion is a really effective technique and that there's so many techniques. mean, even the corporation techniques that I was talking about, they can be used to create harm. You know, a lot of dating websites use very similar tactics. make you feel
They make you feel like they really love you. They make you feel like you really want to tell them information. They don't have to play on the negative emotions up until that point. And then usually, and then when they want to finally get that money from you, that's when they activate, you know, I've I'm stuck in a foreign country. I really need you to help me. But up until that point, they've been applying the positive techniques and all of this is social engineering. And what I get asked a lot is, so, you know, where does psychology fit within social engineering?
Dino Mauro (39:42.444)
And this question blows my mind because social engineering is the engineering of socials. It's the engineering of the human being. That is psychology. Absolutely. Every technique in social engineering is psychology. How do we make someone tell us something is all about how do we make them want to tell us or how do we make them feel like they have to tell us is all psychology. You know, and it all comes down to as well, because like you said, we are biological beings.
you know, understanding how the brain works. Like I talked about the reward network in the brain. Having that understanding allows you to now say, okay, well, this is why it's more effective. Understanding what parts of the brain activated first now makes you say, okay, well, this technique is more effective. But our psychology changes our biology too. So understanding it's biopsych as well as things like neuro marketing, understanding these fields which
separate from cybersecurity has a huge influence on your ability to work within the field of cyber psychology. Because again, it's that input output, but it's the mechanism through which it works. And that's where psychology fits in this field. That's excellent. That's excellent. So and this also has applications, very real applications in negotiation, sales and marketing, right? Because it's the same thing.
It's, it's, it's the eliciting of information. It's the getting people to act on something, right? It's why sales happen. It's why there's a limited time, limited supply act now, things like that there. It's it's all appealing to the same mechanisms drawn from the science behind it. Exactly. So I mean, I'll give you an example from sales. It's
So social judgements of warmth, you you say someone, he's really warm, he's nice and friendly, or someone's cold, they're really hostile. The processing of social warmth actually works through the same neural mechanisms as physical warmth. So the ventral striatum and middle insula. What this means for us, and research has shown this, is if you give someone a cold drink and then you try and get them to do something or make a judgment, they're gonna be
Dino Mauro (42:08.802)
and they're gonna judge you less positively. If you give someone a warm drink, they're gonna judge you more positively. And research has shown literally giving someone a coffee versus something like a smoothie or like an ice drink changes the judgments that they make because of this understanding of the underlying process. And it seems completely irrelevant. Why would giving someone a coffee change their judgment? But when you understand the mechanisms behind it, it makes sense.
and you can use this in sales. mean, probably negotiations and sales are the areas that I train the most in because that's typically where people see psychology fitting in. They don't see it so much in security. Every security breach was initiated by a human being. yeah. Well, that's the whole thing. That's because so many people miss what cybersecurity like what's actually causing
the largest in cyber security. So many people focus on the technology and they focus on what's in the closet and what's in the cloud. And they get really good at all the coding and all that. And I'm like, that's great. But none of that matters when the people are letting them in. And that's what's really happening. So we have to get to why that is happening so we can learn from it and adapt because it's really hard to train people to modify their behavior.
Right. It has to become a habit. It has to become incremental changes over time so that you can bolster that that human firewall. Right. And most people don't understand, you know, why they behave. They just do it. And then you. Yeah. And it's like if I gave you a coffee and you made a judgment, there would be no way that you would say, why you made this judgment nicer because I'm drinking hot drink. You just wouldn't make that judgment.
When we understand how things work and we have that training and that education, we can be a bit more aware. Like this understanding of the emotional element means that when you do start to feel this, you can go, wait, I know this, why am I feeling this? Let me now just give it a second, let me breathe because I know that I'm gonna be acting with emotion. Let me let my prefrontal cortex get involved and then let me think about it. Then I'm be doing this. It's very relevant, right? It's
Dino Mauro (44:32.46)
the approach of being genuine and authentic and telling a client, look, you don't have to buy anything. Let's just share ideas. Only what your issues are. I'll tell you what we have to work. If there's nothing that fits, then that's fine. And if you mean that, then they're more comfortable and it's good and you can have a conversation. At the end of it, you'll learn something about them. They'll learn something about what's out there in the industry. Maybe
their competitors are engaging in things like that. And then you can both walk away. And if they are interested, then a sale will happen. But if you go at them and just talk about yourself and try and force the sale, you're kind of raising the stress level and you're not going to get the cooperation that you want. Yeah. I mean, people don't like to be forced into things. very resistant to be told what to do. Right. But this is why
started working with social engineer when they approached me and offered me the job. And, know, I really looked into what they do. It was probably one of the only companies I'd seen that actually applies to science and social engineering, which again, blows my mind because social engineering is all science. If you were going to train someone to be a social engineer, train them to how to get information, but for the good guys, if they don't understand
empirically what is known about information recitation, what is known about body language, what is known about the psychological mechanisms, how are they going to do that effectively? What they're going to do is rely on what they've seen on TV. They're going to rely on those harsh tactics because that's what a hacker is, isn't it? You know, we see a hacker is this harsh, aggressive, someone that plays on fear and emotions. If they don't have the understanding of the science and the understanding of the ethics involved also, they're going to go to
most people associate with. They're not going to go to what actually is effective and actually understand the implications of what they're doing. Because we just behave. We just behave and we don't understand one why we behave. We also don't understand the implications of what we're doing. So we need to be educated on that. so for listeners and for people that are at work, at home, they want to protect themselves, they want to protect their families, they want to protect
Dino Mauro (46:52.076)
organizations brand that they serve when they get online and they whatever it is, if they even if they don't spot a phishing email to be a fish, even if they don't spot a phone call to be a scamming phone call, right? What should they always do? Should they always like pause, right? They should always breathe. They should always take time so that their prefrontal cortex can
biologically engage and then give them some greater wisdom. Yeah. It's like you said, you know, the threat is with the person. If you just remind yourself that a security threat or a cyber threat is only a threat if you allow it to be, it can be there, but it cannot pass unless you allow it to pass. You you are the bouncer. No, it cannot get inside if you don't open the door. So you just have to remember that just because it exists,
you still have the power. You have to recognize that if something is making you feel stressed or instantly you feel this burst of emotion, I think I have to act now, just recognize is that, that's not a normal way to respond to an email. That's not a normal way to respond to a text or a message from the boss. If they're something, if someone's especially if they're asking for secure information.
and you feel this sudden burst of emotion, think I have to answer it now, emails can take a couple minutes. You don't need to reply to everything now. The world doesn't stop because you didn't respond to an email. As urgent as things are, the world's not gonna stop if you just breathe. Always breathe. And anyway, even if you think you have to respond now, if you reply to anything on emotion, it's always going to come up slightly.
exactly how you should have said it. For a lot of reasons, right? Even if it's good intended, well intended, right? Even if you mean well, you're not going to be able to, if your cortisol levels are high, you're not going to be able to draw on the memories that you had. You're going to struggle with it. And you might be acting on an impulse that otherwise after a couple minutes,
Dino Mauro (49:11.116)
you know, you'll be able to see through, you'll be able to see the same set of facts a little bit differently. it's like when they say, know, don't write an email when you're angry, because you think, this is fine. But that prefrontal cortex is still kind of, you know, pushed to the side and you're still acting with emotion. You're going to look back at anything. I wish I didn't say that. It's the same thing with opening an email. If you open it on that emotion, you could be making a mistake. Just breathe.
You know, just take a second and then assess, you I, couldn't teach all of the information you need to know, you know, within one podcast, even within five podcasts, you know, you get, get the training from the experts who need, but what you can do is when you get that email, when you get that text, when you get that phone call, something doesn't feel right. Recognize I need to breathe because I now need to access that information that I have been taught. I need to access all of this training that I've had, and I cannot apply this knowledge.
If I respond with emotion, you you might respond with emotion and might be completely genuine email, but you still need to be able to initiate that actual thoughtful thought process, not just automatic thought process. That's great. Thank you so much. That is it. Thank you so much. We really appreciate the way that you share. is really phenomenal. What's what's coming up next and what can we will have?
linked to your information in the show notes, but what's coming up next for you? So I'm starting a few new projects at the minute. I've just started my own podcast or I'm co -hosting a podcast with Chris Hadnagy. I love teaching and I've started doing lots of talks, keynotes, training, one -on -one groups. And I realized I love teaching the information. So the podcast is starting and I am writing a
when I'm always doing my own research. And I'm just excited to grow with the new company. I'm moving to Florida very soon. And I'm really excited to see this company grow and see science being put where science should always be. Well, that's fantastic. And Chris is phenomenal.
Dino Mauro (51:25.006)
So we have actually, we've been so, and we've been part of Info Guard for years and we've been training the public on security awareness for 10 years. And one of the things we always show is a video that has Chris in it. It has Chris in it. And everybody's, it's one of the videos. I just connected the dots. I wasn't even aware when you were, you and I had talked and I was
Holy cow, that's the same social engineer. This is Chris's social engineer. I'm like, this is great. So, We'll have a book release party for you too. yeah. And you and Chris both are welcome back anytime. anytime. So, absolutely great stuff that you guys are doing. it is really, really the bottom, like you guys are really getting to the root cause of so much here. So, thank you so much. Thank you. And you know, science
constantly developing. So, you know, with me on board now, it's impossible to be a practitioner and keep up with the science because it's constantly developing and so is the business world. So when you partner academics with practitioners, you have this incredible ability to apply the knowledge and make real impact. And it is an honor to work alongside Chris and to see the work that we're doing. Yeah, it really is good stuff. That's great.
Well, thank you so much. Thank you so much. really appreciate it. And my check for your behavioral therapy will be in the mail very shortly. Yes. Yeah, I was going to say don't forget about that. You'll have to hold it till Friday though. Don't cash it yet. That's fine. right. Well, thank you everybody. Thank you for listening. Dr. Abby, thank you so much for your time. And this won't be the last time that we speak. We will speak again soon. So thank you so much. We appreciate it. Have a great day.
Dino Mauro (53:27.15)
Well that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award -winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and we thank you for watching.