' fill='%230E4F97'%3E%3Cg id='Group-5' transform='translate(370.000000, 11.000000)'%3E%3Cg id='avatar' transform='translate(6.000000, 4.000000)'%3E%3Ccircle id='Oval' cx='8' cy='4' r='4'%3E%3C/circle%3E%3Cpath d='M7.12864205,10 L8.87135795,10 C11.558649,10 14.0087196,11.5384024 15.1762205,13.958831 L16,15.6666667 L16,15.6666667 L15.3374858,17.5134983 C15.228016,17.8186575 14.9774027,18.051811 14.6651459,18.1389975 L8,20 L8,20 L1.33485405,18.1389975 C1.02259733,18.051811 0.771984007,17.8186575 0.662514216,17.5134983 L0,15.6666667 L0,15.6666667 L0.823779545,13.958831 C1.99128041,11.5384024 4.44135104,10 7.12864205,10 Z' id='Rectangle'%3E%3C/path%3E%3C/g%3E%3C/g%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
My cyber attacker was disarmingly ‘human’
A couple of months ago, I received an email from a well-known individual, a former director general of a government ministry who is now involved in business and high-tech entrepreneurism. The message, worded in English and asking for help with a new initiative he’s trying to get off the ground, was polite and focused. The email was completely personalized, with no embarrassing linguistic errors or offers to share the inheritance of some Nigerian prince. I wasn’t asked for any personal details, there was no sense of artificial urgency about it, and it came in at a reasonable time of the day. It didn’t contain any content that was too good to be true. No one promised me a big prize or asked for a donation. It wasn’t even a “whaling” scam, in which someone pretends to be a senior manager in your organization and asks you for something.
I replied politely that I’d be happy to help. A few days later, this individual asked that we switch to WhatsApp, and that didn’t seem odd to me either, because he gave me a UK phone number, and I understood that the individual in question lives there part of the time. I read a PDF he sent me with the plan for the initiative, and while it was fairly general, I could see that it was appropriate for someone with a bird’s-eye view of things. I sent him a voice message along those lines, and didn’t give it any more thought.
That was where things started to go wrong. A few days later, I traveled to a conference in New Delhi. There, I received a series of messages from the former director general, this time in Hebrew. He asked to schedule a conversation, and I wrote that because I would be in Delhi the entire week, I’d be happy to set a time for the beginning of the following week. He said that was fine, but that the meeting would be with his assistant in the United States. And then came the slam dunk giveaway: I was sent a link that I was asked to open from my computer, “for security reasons.” That was the “ah-ha” moment. At that point, I realized I had been taken in. Of course, I didn’t click on the link.
But I was unnerved. I was outside Israel, at an international conference, with no other Israelis. I realized that I had told a bad actor where I was, and had thus made myself even more vulnerable. I found myself looking around from time to time to check I wasn’t being followed. When an Indian hotel worker asked me in the elevator, “Is everything alright, ma’am?” I said it was, but when she asked what room I was staying in, I didn’t know whether to answer her. When I needed drinking water from room service, I was afraid to ask for it. Every taxi driver became a potential threat.
I swallowed my pride and wrote to a good friend in Israel, an outstanding digital investigator. She asked to see screenshots of the correspondence and recommended that I block the number in question. I have to admit that I hadn’t thought to carry out even this simple action.
I had fallen victim to a type of attack known as spear-phishing. In phishing, attackers send scam emails that contain links to malicious websites. Spear-phishing is focused on a specific target. If the context wasn’t as serious, I might even have been flattered, because whoever did this had to conduct in-depth research on the target, that is, on me.
My first question was: Who was after me? Was this a financial scam? Who wanted access to the contents of my computer? A quick Google search for “spear-phishing attack” in Hebrew revealed that in recent months, the Shin Bet had uncovered cyberattacks by Iran against senior figures in the defense establishment as well as politicians, academicians, and journalists. In each case, a suitable cover story had been fabricated and individually tailored. A Shin Bet official had commented that “the goal of this threat is assassination.” It was also reported that the Shin Bet had launched a large-scale operation to update and brief the relevant individuals. I, however, hadn’t been warned, and I soon realized I may never have an answer.
The deeply worrying part was that the spear-phisher’s approach was personally tailored to elicit a response from me. Recent research shows that spear-phishing attacks are responsible for 95% of successful hacking operations. This indicates a critical gap in cyber defenses, which focus primarily on technical protections and fail to address psychological vulnerabilities. Attackers use techniques that exploit frailties in the human psyche to bypass even the most secure technological defenses.
Playing on my desire to help
So, what were the frailties in my psyche, and despite my cyber expertise, that allowed the ruse to get as far as it did? My “root cause analysis” found no misuse of authority, because I didn’t get the email from my boss, nor was there an artificial sense of urgency that made me respond. Perhaps it was cognitive overload – I work at a fast pace with a high volume of correspondence. And here’s an uncomfortable truth: I don’t properly vet the address of every email I get, especially when there are no obvious red flags.
Eventually, I found the sign I should have clocked as being suspicious: The original email address contained a real name, the @ sign, and a real organization name, but then there was another @ followed by “proton.me.” Like gmail.com, this is a suffix belonging to an email service. But there’s a key difference: Gmail doesn’t allow addresses with a double @ sign, so as to prevent fraud like this, but Proton does, which is why it has become a useful and effective tool for attackers.
But it wasn’t simply that I had missed that technical red flag. It was, more than anything else, the way the attack played on my desire to help and to be involved. The email included a request for advice and for my professional opinion. When someone asks for a favor, the initial instinct is to want to say yes. This mutuality bias, along with a polite writing style and the allusion to a problem where my expertise could be of help, was precisely aligned with the kind of communication I would expect from someone like the supposed sender.
Luckily for me, nothing happened in the real world: I didn’t hand over sensitive details, no one drained my bank account, and I wasn’t physically harmed. But I did experience hours of anxiety and stress. I couldn’t help thinking about the public implications: First, I didn’t know where to turn. Is there a support line for individuals in such cases? And if I were to contact it, would I be suspected of communicating with a foreign agent?
Second, there’s a need for psychological support to reframe these events and prevent targets from experiencing them with a sense of shame. And third, what should be done regarding the real person who was impersonated? I decided to call him. The conversation was embarrassing, especially when he asked, perhaps rightly, “How can I know that it’s really you, and that what you’re telling me is true?”
Ultimately, I have developed a set of assumptions about the world, about people. Did my belief in people’s basic decency act against me? And how can we lead our lives with immense wariness and suspicion while also maintaining our sense of trust in others? We can talk about education, awareness, and digital literacy to prevent these kinds of attacks, as I have spent decades doing, but the tools being used are becoming increasingly sophisticated, and the damage to our sense of personal security is ever more painful.
