The Link Between Phishing Attack Success and Psychology
“(Phishing attacks) require only limited technical skills because their success depends on how well cyber-criminals understand human nature to anticipate how people are likely to behave and react to the bait” states Marika Samarati in an article for IT Governance. Sending phishing e-mails to is the easy part, the challenge comes in constructing an e-mail which will encourage the user to interact with it.
Phishing is something that businesses are taking much more seriously, and for good reason because 72% of all data breaches are related to staff receiving fraudulent e-mails. There are ways to avoid falling victim to phishing attacks; an approach that works for most other cyber-attacks or viruses is to install security software, in this case to detect and blocks suspicious e-mails. While this is extremely useful and a good first line of defence, some e-mails slip through the net because they are constructed to look like any other e-mail you might receive. Phishing is unique from other forms of cyber-attack because it depends on the human factor, the success of a phishing attack depends on the user interacting with the e-mail they are sent. The best way to ensure that every single e-mail is secure is by training these targets, your employees.
How can we be manipulated to fall for an attack using psychology?
Psychology is used in phishing attacks in many ways, Samarati explains a few:
- Choosing times when users are most stressed / vulnerable such as late in the afternoon, on Fridays or at the end of the month.
- Spoofing C-suite managers’ email addresses to make sure low-level staff do as requested without arousing suspicion.
- Taking advantage of real-life events, like tax return deadlines, etc. We recently wrote posts on both tax-return and GDPR related phishing scams which makes phishing e-mails blend into your inbox, and discourages you from suspecting them.
- Using fear tactics that urge the recipient to act promptly, such as e-mails that require you to enter your information to change your password or you will be locked out of your account.
The two common trends here are that attackers try to either disguise their e-mails with what you would usually receive so you aren’t alerted to their danger, or they try to catch you at vulnerable moments that you will act quickly without thinking through the repercussions of your actions.
Tech Republic published an article which argued that fact-checking is key in recognising phishing attacks. Lisa Fazio, assistant professor of psychology at Vanderbilt University said that people are naturally poor fact checkers, which is manipulated by attackers to encourage us to click a link. The article describes ‘the Moses illusion’, a way in which cybercriminals utilize manipulation and deception to ensure success.
How many animals of each kind did Moses take on the Ark?
Most participants focus on the answer to the question (2) and miss the fact that Noah, not Moses, was on the Ark (I did when I read the article, I don’t know about you!).
This is successful because it openly states false information, but does not make it part of the decision-making process, i.e. how many animals were on the ark. People typically spend more time and effort trying to understand what's being heard or read than determining whether the information is true.
The acceptance of the fact that it was Moses who took the animals on the ark is an example of truth bias: the tendency to believe what you hear or read is true without considering the source or any prior knowledge about the subject. In other words, people expect the information they receive to be correct.
Fact-checking is definitely something that should be promoted amongst employees to prevent phishing manipulation, participants in a survey conducted by Fazio avoided misinformation (being phished) when asked to edit a story and highlight inaccurate statements or read the stories—sentence by sentence—and decide whether each sentence contains an error. However, Fazio emphasises that it is not fool-proof: "even 'fact-checking' readers miss many of the errors and retain false information from the stories. For example, in the sentence-by-sentence detection task participants caught about 30 percent of the errors. But given their prior knowledge they should have been able to detect at least 70 percent."
In their report on the Human Factor (2018), Proofpoint stated ‘Social engineering underpins the Human Factor. Attackers are adept at exploiting our natural curiosity, desire to be helpful, love of a good bargain, and even our time constraints to persuade us to click.’ The best way to defend ourselves and our businesses against attacks, they suggest, is employee cyber-security training. Specifically, a combination of internally created fake phishing e-mails that collect data to see who in your company clicks, coupled with general awareness training so your employees know how to identify a phishing e-mail.
Phishwise is our own phishing awareness training platform that does exactly this. Phishing places an enormous amount of responsibility onto every person in a business with access to an e-mail account, and the right training can make the difference between a data breach or total security. If the human factor is something that could use some extra attention in your business’ cybersecurity, please get in touch. We have different plans to suit everyone and even offer a one-time, single-use license which is perfect to try the product out and see how it can improve your employees' ability to recognise and react accordingly to potential threats.