Why do smart people take the bait?
Similar to magicians and street performers, phishing perpetrators have perfected the art of deception to influence our perception of what is real and what is not. To an attacker, sending out phishing emails is both inexpensive and scalable and this allows them to test, measure and hone their understanding of human behaviour to anticipate how we will react.
Armed with this knowledge, scammers are able to construct ever more sophisticated phishing emails that employ a number of social engineering tactics aimed at duping us into performing actions that with ultimately prove very harmful.
Urgency and fear
One of the most pervasive yet effective techniques scammers use is invoking fear. This is often combined with a sense of urgency around an action – such as the need to update your details before losing access to an account, or claiming that a password has been compromised and needs to be changed. This type of ploy works by tapping into people’s fear to such an extent that they fail to spot signs that could indicate the email isn’t authentic.
Trust of authority
As the psychologist Stanley Milgram demonstrated in his infamous 1963 study on obedience, people have a propensity to follow orders received from figures that they recognise as being in authority, even when doing so conflicts with their instincts. Scammers exploit this vulnerability by crafting targeted, legitimate-sounding emails with designs that mimic corporate branding, including official logos and signatures, or even spoofing C-level managers’ email addresses. People are less likely to question clicking a link when this appears to come from a trusted source, such as an airline or a delivery service, and even more so from a boss.
Promise of rewards
Another often-seen phishing scenario involves the lure of an attractive prize or cash reward, used to entice people to volunteer their personal information or part with their money. It won’t come as a surprise that this type of email has a lower success rate than one relying on fear tactics, for example. The implausibility of this scheme is however very deliberate and its purpose is to quickly filter out the more security-aware part of the audience, instead targeting those at the more gullible end of the spectrum.
More often than not, the timing of phishing emails plays an important role in their potential success. Frequently, cybercriminals target prospective victims at a time when they’re likely to be more vulnerable – such as late in the afternoon when concentration levels are lower or at the end of the month when many companies are likely to have business deadlines. Similarly, some phishing scams are timed to coincide with events in the financial calendar, such as a tax return deadline.
How vulnerable are your staff?
Sophisticated phishing emails frequently prove able to bypass standard countermeasures such as anti-spam filters. The best means of preventing an attack from being successful lies in training staff to identify the less obvious signs of phishing, regularly testing their ability to spot inauthentic sources and conducting further awareness sessions where required.