A recent Bleeping Computer article detailed a new phishing attack scheme originating from an Iranian-aligned hacking group leveraging the “social proof” psychology principle. First coined by Professor Robert Cialdini in Influence: The Psychology of Persuasion, the social proof theory posits that when someone does not know the proper behavior for a situation, the individual will imitate others for guidance (The Decision Lab, “Social Proof“; fs Blog, “Social Proof:  Why We Look to Others For What We Should Think and Do“; fs Blog, “The Psychology of Persuasion: Six Timeless Principles To Get Your Way“; and The Psychology Notes HQ, “What is the Social Proof Theory?“). In other words, the notion is that “because others are doing it, it must be correct and I should be doing it too.”

The social proof phishing attack employs this herd principle through “sock puppets” – fake participants in an email chain that make the conversation appear to involve multiple persons. The attacker sends an email to the phishing target, as well as to a third person (or multiple persons), giving the impression that a group of people are participating in the discussion. While it looks like there are several “sock puppets” in the show, all are different arms of the same puppet master, “talking” to himself. The fictitious third party in the conversation thereafter replies to all in the chain, including the phishing target, sometimes not until a day or two later. The more involved the “discussions” appear, the more legitimate the emails seem. Once the target is drawn in, he is lured into opening an infected attachment or clicking a malicious download link which he presumes must be legitimate because it is being transmitted between others, some of whom bear important (even if false) job titles.

Though more crafty, fundamentally a sock puppet email is no different than a typical phishing email, and the primary fraud defenses are the same – careful attention to the email addresses of all the chain participants and skepticism of emails that seem out of the ordinary, especially from persons (real or conjured) you do not know. A healthy suspicion of irregular emails is a virtue, not a vice. Do not be so open-minded that your brains fall out. (G.K. Chesterton). A lie, like a pill, is easier to swallow when you don’t think about it. (Marty Rubin)

Check out our series, Privacy Perils, to learn what steps you can take to guard your personal and company data. For more information about this topic and other cyber security concerns, please contact a member of our Privacy & Data Security team.