Fear, uncertainty, and doubt (FUD) hold powerful influence over humans. Fear itself is a deeply powerful emotion that causes specific reactions in the brain, and uncertainty and doubt are feelings that manipulate your actions, your employees’ actions, and your business operations. Examples of FUD have a long-standing history in the information technology and information security industries. In the 1970s, IBM utilized FUD tactics to make buyers question trying new products by casting a shadow of fear over the idea of unknown products compared to IBM’s safe, known offerings. In the 1980s, IBM was given a taste of its own medicine by Microsoft who FUD’d them in return. Recent uses of FUD can be seen in the political arena through the spreading of select information and misinformation in the 2016 presidential race, as highlighted in the SEORG article on SE at the Nation-State Level. FUD can be used to effect the purchasing of your products and your bottom line. It can also be used against your employees for a range of purposes, anything from sowing dissent about corporate changes to inspiring an employee to provide information and access to your network.
Why does it work?
Each aspect of FUD can be used as a method of amygdala hijacking, where the part of the brain responsible for emotions has been flooded with some emotional trigger and, in its overwhelmed state, its ability to reason through the emotional response is dramatically reduced. Amygdala hijacking can be seen in a variety of psychological behaviors surrounding FUD. One example is the backfire effect, where doubt is cast on someone’s longstanding beliefs, the person will react strongly and emotionally by doubling down on their preconceived ideas. This can be used to rile and provoke individuals and groups of people into action. Additionally, instilling fear in an individual causes a flight or fight response, and, when the presented threat is great enough, the individual will react without thinking. Amygdala hijacking is further detailed in section 3, Deciphering the Science, of Christopher Hadnagy’s book, Unmasking the Social Engineer, and this concept is why FUD is such a powerful tool.
FUD has been used in marketing tactics, propaganda campaigns, and, you guessed it, social engineering. While we here at Social-Engineer, LLC (SECOM) believe in a “leave others better for having met us” and benevolent style of social engineering, malicious actors do not adhere to the same moral principles. FUD is a sneaky beast, anyone can be susceptible. FUD is a popular motivator in many malicious phishing emails and vishing (phishing over the phone) campaigns, where a malicious actor may use fear to prompt an immediate action.
Additionally, a timely example is the FUD surrounding DEF CON. Every year there is FUD over the safety of technology and identities of those in attendance. There is uncertainty about who the malicious actors may be and what will motivate their actions, there is doubt over attendees’ personal security, and fear over who will be a victim and how. Particularly as new exploits are regularly announced, such as F-Security’s ability to design a master hotel key that could open millions of doors in tens of thousands of buildings. This could make new DEF CON attendees think twice about going because the safety of their person and identity could be at risk. However, veteran DEF CON attendees will know that these threats can be mitigated and should not prevent someone’s attendance at the conference.
So, how do we combat FUD?
The answer is not to avoid using hotel keys or avoiding new information or telling your employees to never react to their email. Instead, knowledge and continuous education are your best weapons against FUD. Equip yourself and your employees with an awareness program that emphasizes the value of recognizing when emotions are heightened, slowing down in response, and asking questions about information presented to them. In the IBM story, an appropriate response would have been to do research on the specifications of IBM versus their competitors and draw a conclusion on which product is best based on the presented needs, instead of allowing a marketing campaign to convince an audience that the unknown of new things is scary. Where the information security of your organization is concerned, be sure employees know that emails containing emotional triggers may be attempting to get the employee to act out of haste. And, where DEF CON is concerned, here are some pointers for any of you attending:
- turn off the Bluetooth on any devices,
- avoid joining public WiFi,
- don’t plug anything you don’t own into your technology,
- avoid leaving valuables in your room, and
- inform yourself and any employees that may be attending of best practices to remain vigilant and secure.
Don’t let the FUD win.