If you haven’t seen this video on attention, please do so, it’s just over a minute long.
The video is by Christopher Chabris and Daniel Simons, both authors of the book, ”The Invisible Gorilla,” in which they reveal the numerous ways our intuitions can deceive us.
In essence, much like we react to the video above, we realise that our minds don’t work the way we think they do. We think we see ourselves and the world as they really are, but we’re actually missing a whole lot.
For the most part, our brains don’t process chaos very well. So, our brains try to take any given information and turn it into something we’re comfortable and familiar with.
You may have seen sentences like this on the internet:
Y0UR M1ND 15 R34D1NG 7H15 4U70M471C4LLY W17H0U7 3V3N 7H1NK1NG 4B0U7 17.
That’s your brain adding order and familiarity to an otherwise random string of letters and numbers.
During brain scans, researchers have found that if we hear a sound that leads us to strongly suspect another sound is on the way, the brain acts as if we’re already hearing the second sound.
In psychology, the Law of Closure explains our tendency to form imagined connections between things that are otherwise separate.
For example, in the above image, there are alternating photos of my colleague, Erich, and I. It is likely that you’ll see alternating columns of Erich and I more easily than rows of single, alternating photos.
The stronger connections we can make between items (like between similar or even identical photos), the less chaotic they seem as a whole.
Criminals also know this, and understand the power of being able to scam or defraud people simply by creating an environment of familiarity.
For example, in business email compromise (BEC) or CEO fraud, a criminal posing as the CEO or other senior executive will ask the finance department to make a payment to a new third party. This attack has a greater likelihood of being successful if the email mimics the genuine CEO’s style or tone. In doing so, attackers can often blind the recipient to warning signs that may be as blatant as the gorilla in the video.
Recently, the BBC reported that two Nigerian men were arrested over a German PPE scam. The criminals cloned the website of a Dutch company to obtain an order from a German state to the tune of $2.3 million. When the PPE didn’t show up, a German government representative visited the company’s offices in the Netherlands, only to be told that they had never conducted any business with them.
Much like the invisible gorilla, once you know to look for it, it is easy to see telltale warning signs. Maybe the website had spelling errors, maybe the URL was different, or maybe the bank account details seemed suspicious.
The point is that unless people are made aware of the potential threats and the techniques that scammers and criminals use, there is little chance they will pick up on the threats that present themselves in plain sight.
In March of 2020, Oklahoma City Police Department shared CCTV footage of a criminal who walked into a convenience store wearing a shirt with the store’s logo on it and convinced the store clerk he was there to take over her shift.
Once behind the register, he continued checking out customers for several minutes before locking the door and stealing all the money, cigars and lottery tickets.
It’s the physical manifestation of a phishing attack in which the threat was invisible. Store clerks are usually vigilant against people who may be shoplifting or brandish a weapon. They are even used to checking for fake currency, but few have ever suspected that a criminal would brazenly walk in claiming to be an employee.
If you don’t know what you’re looking for, you’re not going to spot it. However, simply telling people about threats often isn’t enough either. You have to reinforce the awareness with actual training that puts people in uncomfortable situations to condition them to react in a positive way.
To illustrate the point, let’s close by having another look at a variation of the invisible gorilla test, and see if you complete the exercise differently, or whether your brain normalises the scene.
This is why continuous security awareness training is important and needs to be delivered in a way that captures the recipient’s attention without their brain normalising the message to the point where the gorilla, or in our case, the threat, becomes invisible.
