Anchoring

Understanding Anchoring

Anchoring is a cognitive bias that describes the common human tendency to rely heavily on the first piece of information encountered (the “anchor”) when making decisions. In the context of phishing and social engineering, attackers exploit this bias by presenting an initial, influencing notion that affects victims’ judgments and decisions.

History and Relevance

The concept of anchoring was first introduced by psychologists Amos Tversky and Daniel Kahneman in the 1970s. They demonstrated that once an anchor is set, especially with regard to numerical inputs, people tend to adjust insufficiently away from that anchor.

Anchoring is highly relevant in phishing and social engineering because malicious actors aim to manipulate decision-making processes. By understanding how to set an effective anchor, attackers can more easily sway the victim’s subsequent perceptions and actions. This makes defenses against these strategies crucial in cybersecurity protocols.

Manifestations in Real Attacks

Phishing attacks leveraging anchoring typically begin with an attacker presenting a powerful initial message or data point. This message often possesses qualities such as urgency, authority impersonation, or enticing offers that align with the victim’s interests or fears. Once the anchor is established, the rest of the communication seeks to gently guide the victim to the desired fraudulent action.

For instance, a phishing email might announce a suspicious log-in attempt from a distant location. This initial anchor—a possibly compromised account—sets the stage for the victim to follow embedded links or download harmful attachments in panic, succumbing to the attacker’s subsequent guidance.

Concrete Phishing Scenarios

Fake Invoice Fraud: An attacker sends an email with the subject line “Overdue Invoice – Action Required.” The anchor here is the sense of urgency from “overdue.” When the recipient opens the email, they see a detailed invoice with an inflated amount due, prompting them to act quickly to “resolve” the issue.
Credential Harvesting: A targeted individual receives a message purportedly from their IT department, warning that all passwords need updating due to a recent security breach. The anchor in this message is the urgent security threat, pushing users to a fake login page where their credentials are captured.
Online Shopping Scam: As shopping sprees heighten around holiday seasons, a phishing email might offer a “75% off exclusive deal for valued customers.” The massive discount acts as an anchor, luring the victim to a fraudulent site or prompting them to download a “coupon” that is actually malware.

Recognition and Defense Strategies

To effectively counteract anchoring strategies, defenders must recognize the initial messages that aim to establish an unintentional anchor. This involves implementing several strategies:

User Education: Providing comprehensive training to end-users exposes them to common anchoring strategies and teaches them to question the initial messages that provoke urgency or emotional reactions.
Multi-factor Authentication (MFA): Implementing MFA can prevent unauthorized access even if credentials are accidentally compromised, reducing the effectiveness of anchoring strategies that target immediate actions.
Phishing Simulations: Regularly conducting phishing simulations allows users to experience potential attacks in a controlled environment, sharpening their ability to recognize and disregard anchoring attempts.

Moreover, organizations can use technical controls such as email filtering software and web-based security tools that help detect and block phishing attempts. These systems often utilize machine learning to identify signs of phishing, including suspicious linguistic patterns or domain discrepancies.