We often discuss cybercrime in terms of fear, urgency, and technical vulnerabilities. But what happens when the weakest link isn’t unpatched software, but our own best intentions, our kindness, empathy, and desire to help?
As Anna Collard, SVP of Content Strategy and CISO Advisor at KnowBe4 Africa, warns, cybercriminals are now “hacking kindness,” strategically targeting positive emotions to lower our psychological defenses.
The effectiveness of emotional content, whether negative or positive, is rooted in how we process information.
Fear and Urgency trigger a “fight-or-flight” response, forcing quick decisions and suppressing critical thinking. This is the classic, urgent “Your account has been locked!” scam.
Positive emotions, such as compassion or love, are far more insidious. Research shows the “warm glow” effect from helping others makes us less likely to question whether a request is legitimate. Instead of engaging our analytical brain, we rely on mental shortcuts, our inherent trust.
Criminals exploit this positive feedback loop. They create fake charities for children or disaster relief, using sophisticated tools like deepfake videos or AI-generated content to make their cause look utterly real.
In communities where collective responsibility, such as the South African concept of ubuntu, is strong, criminals exploit these cultural values, framing their scams as community-building initiatives to maximize participation and reduce local suspicion.
Beyond fake charity drives that mimic legitimate organizations like UNICEF, CANSA, the most destructive scams today involve building long-term trust:
- Romance Fraud: Criminals spend months building emotional dependence, exploiting loneliness before making a financial request.
- Pig Butchering Scams: These highly organized schemes involve building a “relationship” and then convincing the victim to invest in a fake, lucrative cryptocurrency or foreign exchange platform. The victim is ‘fattened up’ before being ‘slaughtered’ for all their assets.
In these cases, the victim forms a genuine emotional bond, making it nearly impossible for them to accept that they are being manipulated.
What can we Do To Protect Ourselves?
Fighting kindness-based hacks requires not just new policies, but a new approach to human risk management, one rooted in empathy and verification.
For Individuals:
- The 24-Hour Pause Rule: Before making any financial decision based on an emotional appeal, charity, investment, or helping a new friend, wait 24 to 48 hours. This allows your critical thinking to re-engage.
- Verify: Always use independent online resources to verify charitable organizations. Never click a link in an email; navigate directly to the official charity website.
- Discuss Decisions: Always talk about potential large donations or investments with trusted friends or family members.
- Use Traceable Payments: Stick to secure, traceable methods. Never use gift cards, prepaid cards, or cryptocurrency transfers for unexpected requests.
For Organizations:
- Acknowledge and Respect Culture: Security awareness training must move beyond technical threats. Include scenarios involving charity, community investment, and emotional appeals.
- Emphasize that Verification is Caring: Train employees that questioning a request is not cynicism; it’s the responsible way to protect both the organization and legitimate causes.
- Use Local Context: Integrate local examples and cultural values like ubuntu into phishing simulations and training materials to make security relatable and relevant to employees’ lives.
- Implement Approval Processes: Create clear policies and multi-step verification procedures for any significant charitable giving or community investments made through the company.
Cybersecurity awareness is about defending our ability to genuinely help others. By being security-conscious, we protect ourselves and ensure that our resources reach legitimate causes, enabling more effective and sustainable generosity.
