Hackers get design better than you think
Hackers are increasingly leveraging smart design techniques, and we can learn a lot from them.
Let’s face it. Hackers are really smart and know how to use the best tools and techniques to succeed in their trade!
Hackers have been in the news constantly over the past few years, mainly for the wrong reasons. Companies across industries have been victims of cyber attacks and data breaches which have resulted in millions of dollars of financial damage and further more in reputational loss. Hackers will probably be (if not already) the biggest villains of the 21st century, and there’s not much we can do about it. However, we can always learn from the enemy!
A really common hacking technique is a method called Phishing.
According to Wikipedia, Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Every year millions of users fall prey to phishing scams because of well crafted and cleverly designed emails which trick the user to click on an infected attachment or a compromised link. But overall it’s just clever design which makes the attacks successful.
If you think about it…most marketers, UX designers and hackers have the same objective…getting the user to click on the desired link.
Now let’s look at some common design concepts/principles they leverage for a successful attack
Comprehensive User Research — A recently detected phishing scam targeted at Telstra users leverages an email and a fake website, which convincingly mimics the branding of the telco and informs the recipient that their bill has been paid twice by mistake. To receive their ‘charge back’ people are ‘requested to visit their account immediately and complete the claim’. The link takes them to a malicious website which then compromises their account. This fake website looks exactly like the original Telstra website as shown below. Unwitting customers fall right into the trap!
Can you imagine the amount of user research needed to make this operation a success? Hackers tend to be extremely good at it and their entire scam depends on how well they have understood the user. Through user research they create comprehensive user profiles based on the users goals, expectations, motivations, and behaviour. For instance, in the above example, they have identified a compelling common user behaviour, reached out to the most probable targets and created a carefully crafted communication plan as a result of which recipients are most likely to fall prey.
Designing for Devices — A recent study states that mobiles are 3 times more vulnerable to phishing attacks. People are 3 times more likely to submit personal information on phishing websites than normal desktop users. It is also harder to spot a phishing website on a mobile device than a desktop.
And the worrying part is that hackers are aware of this and are leveraging this behavioral change to the fullest. With the evolution of technology, hackers have also evolved. They understand that most transactions these days are done on phones/tablets and hence they are designing emails and sites which are responsive and easy to read on devices. For example, in a recent phishing scam ANZ Bank customers were targeted primarily around mobile banking and mobile users. The entire scam was designed keeping in mind only mobile devices and mobile user behavior and not desktop users at all. This resulted in a major phishing scam in which thousands of users fell prey to the attack and their sensitive information was compromised
Enhanced Visual Design — Earlier most phishing emails used to be plain vanilla text communication with a link to click on. Now phishing emails have become more visual with greater use of images and better design. As is the case for normal emails, even for phishing emails better visual design results in increased click-throughs.
Below is a comparison of how phishing emails uses to be a couple of years back and how it is now…a clear sign of evolving design!
A/B Testing — The Telstra scam mentioned earlier in this post is also being suspected as a test ahead of a much larger attack. Experts believe that the hackers are performing an A/B testing to figure out which is a better and more effective design.
This common design/marketing concept is commonly used by hackers to master the efficiency of their design. Based on these test results, they decide which form of design to go ahead with, and more often than not their success rates are pretty great.
There are many more such concepts which are frequently used by hackers for scams. Not just Phishing…even techniques like Pharming, Vishing and Smishing make smart use UX design concepts to be successful.
In the words of Thomas J Watson Jr — “Good Design is Good Business”…and it is certainly holding true for the hacking industry. Maybe it’s time we start applying these principles in our work as well!
P.S — If you’re freaked out by what you just learnt about Phishing, Google up techniques to prevent phishing scams…it’s something everyone should be aware of.
