The Real Talk:
- What “cognitive surrender” actually means—and why handing your thinking off to AI tools is exactly what cybercriminals are counting on
- The 2024 Hong Kong deepfake case where a single employee wired $25 million after a convincing video call with people who didn’t exist
- Why attackers schedule their phishing campaigns around your lunch break, your three-day weekends, and your lake reservation notifications
A Closer Look:
Cognitive Surrender Is the New Attack Surface James McDowell, PhD, forensic psychologist, cybercrime researcher, and adjunct professor at American Military University, opens with a term worth writing down: cognitive surrender. As AI tools absorb more of our daily thinking, we’re not just becoming less sharp—we’re becoming more exploitable. Attackers aren’t just targeting your network. They’re targeting the mental shortcuts your brain takes when it’s distracted, rushed, and operating on autopilot.
The $25 Million Zoom Call That Never Happened In 2024, an employee at a Hong Kong-based firm received a Friday afternoon email from someone posing as the CFO, requesting a wire transfer for an acquisition. Something felt off—so they asked to hop on a video call first. Smart move. Except the CFO on that call, and every other executive on the screen, was a deepfake. Multiple people. All convincing. All fake. The employee wired $25 million and had a normal weekend until Monday morning. The adversary had reverse-engineered the exact verification step we’d spent years training people to take.
The Carrot Has Better ROI Than the Stick Eric Brown, CISSP and Nick Mellem landed on something worth bringing back to your security team: how you incentivize reporting matters as much as the training itself. Punishing clicks breeds fear and silence. Rewarding people who catch real phishing emails—copying their manager on a note from the CISO, giving them visible credit—builds the reporting culture that actually protects the organization. James framed it simply: the carrot is better than the stick for building sustainable security behavior.
Voice Passwords Aren’t Just for Executives Anymore The same psychological instinct that made the Hong Kong employee feel safe on that video call—social proof, familiar faces, group consensus—is being weaponized at scale. James’ recommendation for families and organizations alike: establish voice passphrases. If you’re going to ask for money, there’s a codeword. If that word isn’t said, it isn’t you. Low-tech. Boring. Effective.
Bottom Line:
Your brain evolved for the physical world. It’s remarkably bad at detecting deception in the digital one. Attackers know this, and they’re building their entire playbook around it. The good news: awareness is the entry point. You don’t need to understand every AI tool deeply to stop being manipulated by it. You need just enough exposure to recognize when something is trying to keep you in System 1. And you need a passphrase.
Tune into the full episode to hear why James deepfakes senior leaders as a teaching tool (with permission, he notes), how sycophantic AI is quietly changing the way we communicate with other humans, and what “prompt output optimization” means for the next generation of search manipulation.
🔗 Ep 84 – Cognitive Surrender: AI, Deepfakes, and the Psychology of Cybercrime with James McDowell
Listen wherever you get your podcasts – Subscribe to our YouTube channel to stay up to date on breaking cybersecurity news.
Learn more at www.itauditlabs.com
