Hook, Line, and Sinker: How Hackers Trick You Into Giving Up Your Passwords

It’s a typical day at work for “John”. He takes his seat at a desk on the third floor of an office building and logs into his computer. He picks up the phone and begins dialing for the day.

“Hi, this is John from IT support. I’m calling from the internal help desk at XYZ Company. We’re doing a quick system-wide credential re-authentication because of a recent security update. Have you received the memo?”

And so it begins with John throwing out the line and the target falling for it, hook, line, and sinker. What the victim doesn’t know is that John is sitting in the office of a highly sophisticated organized crime ring on the other side of the world. Side by side are John’s colleagues, also cold-calling victims. On the floor above is the accounting department, laundering money received from selling stolen credentials. On a lower floor, the creative team writes web page copy to mimic a large corporation, while graphic designers and coders create a faux website that looks just like the real thing but is set up to steal login credentials.

Welcome to the new world of organized cybercrime. If you thought a hacker was a teenager slumped over a bank of computers in the basement of his parents’ house, hoodie pulled over his face, gazing malevolently at the screen, think again.  

You might pass John and his colleagues on the street and think they were your average businessmen. You’d be right. They are. They are just in the business of stealing your login credentials and, by extension, your digital life.

Here’s how not to take the bait when they go after you hook, like, and sinker.

The Psychological Manipulation Tactics of Hackers

In our fictitious example above, John employed several notable tactics to trick his victim into the scheme. Although we didn’t provide the entire imaginary dialogue, we know how these things unfold. John used techniques including:

• Impersonation of authority (IT staff)
• Urgency (“system-wide update,” “tight deadline”)
• Familiarity with company processes (mentions departments, internal memos)
• Use of jargon to sound credible (e.g., “authentication portal”)
• Fake reassurance to reduce suspicion
• Technical distraction (“ignore password resets”) to cover tracks

Preventing cybercrime and credential theft is a multi-fold effort. We frequently discuss the technical aspects of secure credentials with our clients. For example, in previous articles, we have talked about what a secure password looks like today and the benefits of using password managers. We also ensure that our clients’ systems are set up with specific security measures, depending on their platforms, business, and situation. 

As IT managed service providers, this is an essential component of what we do for our customers. What goes hand in hand with technical expertise, however, is good old-fashioned caution and awareness. That’s where knowing the psychological tricks criminals use is important. Forewarned is forearmed, as the old saying goes.

Let’s unpack each one by one so you’ll be prepared for a similar situation. 

Psychological Manipulation Tactics Used by Cybercriminals

Cybercriminals use a variety of psychological tactics to manipulate victims into willing compliance. 

Authority Bias

Everyone is taught from a young age to respect authority, whether the authority figure is a parent, teacher, policeman, or someone else in charge. Criminals exploit this facet of human behavior by donning a veil of authority when they initiate conversations or emails to trick you into divulging your login credentials.

Who do they impersonate? In our example, it’s someone from “IT”. In many companies, workers defer to the IT staff as authority figures. Computers, hardware, internet, and all the accessories that go along with them are mysterious and puzzling to many, so they defer to IT as an authority figure. 

Other authority figures frequently impersonated include government officials, such as IRS agents, Federal Investigators, and the like; bank officials; lawyers; ministers and religious leaders; and executives.

Many people automatically respond to authority figures. Their requests seem to bypass the natural process of being suspicious of unexpected calls or emails. 

Urgency and Fear

Keep in mind that psychological manipulation isn’t just one tactic. It’s the sum total of several tactics that tips the balance and causes people to act unwisely. 

The second tactic, urgency and fear, is often combined with the authority figure. Now you have someone in authority making it feel like the end of the world if you don’t act quickly. This comes across in several ways, such as messages that your bank account will be locked in 10 minutes if you do not click a link and act. The criminal’s goal is to trigger panic, which bypasses a person’s normal mental filters that urge caution.  

Familiar, Trusted Names and Brands

This is another way that criminals get past your innate sense of caution. They pretend to represent trusted brands, such as national banks or big retailers like Amazon. Not only does this make the credential-stealing attempt seem real, but it is also a likely “hit” with something you know, since almost everyone has ordered from Amazon, and major banks have lots of customers. 

Other Tricks

Other ways in which criminals get you hook, like, and sinker include making their plea sound authentic. They make the ask sound legitimate. After all, who hasn’t seen an email from IT stating that there will be a system update? And what about order confirmations from well-known companies? We’ve all seen those. Attackers exploit familiarity to bypass your defenses and manipulate you into action. Combined with the voice of authority, a sense of urgency, and the reassurance of familiar, trusted names and brands, they worm their way behind your defenses and trick you out of your credentials.

Types of Credential-Stealing Attacks

At the beginning of this article, we provided the example of John cold-calling victims to trick them into responding. John’s call would be following up with a phishing email or a spear phishing email. Phishing emails attempt to trick users into entering credentials into fake emails or websites. Spear phishing emails take it a step further, using personal information gleaned from web searches and perhaps even conversations with people like John himself to make the situation sound even more dire, urgent, and real. The ultimate goal is to get you to take action; to log into a website, click an email link, and enter your credentials. 

Another way attackers gain credentials is by offering a gift in return for services – essentially a quid pro quo. Perhaps they offer to give you money for entering a sweepstakes. You have to type in your email and password; however, to get to the sweepstakes page, and the sweepstakes page is nothing but a front for the harvest of login credentials. 

The Bottom Line: Protect Yourself by Remaining Vigilant

Preventing login credential theft requires a multi-faceted approach. It includes awareness, training, vigilance, and good IT support. Articles like this raise awareness about the tricks criminals use. Periodic training conducted by your IT department also keeps this information top of mind. Lastly, good IT support, in the form of filters for phishing emails and protection from unsecure websites, can go a long way to keeping people safe. Be smart, be cautious, and avoid getting caught, hook, line, and sinker by those unscrupulous spearphishers!