(5 min read)
Phishing is all about getting access to you – your data, your information, your money. Or if not yours, then that of your organisation or a network you have access to.
Why do people bother with phishing scams? Well, there’s a simple answer: phishing is too easy, too cheap to do, and carries a very low risk. Essentially, phishing costs next to nothing, is easy to implement, and can reach thousands of potential victims, so criminals don’t need many people to fall for their scam in order to make money.
The increase in sophisticated phishing scams
As with much cyber crime, phishing experts are much further ahead of the game than we are. They have upped their game, and one of the keys to understanding why these scams are successful is to understand the psychology behind the way they work.
Let’s not forget that marketing and advertising are based on a lot of the same principles – so this isn’t something that’s secret information – it’s just that phishers have become experts in exploiting it.
Dissecting phishing psychology
I’ve taken an in-depth look at how phishers operate, using my knowledge of behavioural science to explain why phishing works so often and so well. Let’s look first at the way these criminals use our everyday expectations and behaviours against us. Then we can see how we can change the way we act to protect us from being scammed.
There are eight psychological devices that phishing emails typically use. We’re going to look at the first three in this blog – normality, urgency and curiosity.
We’ll start with normality – the normality of getting an email or text message. We all get emails all the time – across all our email addresses. So we are used to scrolling through emails and opening the ones that we are interested in. The problem is that some of the interesting ones are malicious. And they may have links or attachments to trick us into going to false websites, parting with information, sending money or downloading some type of malware.
Because communicating via email is our ‘normal’ it’s quite easy to hide the malicious requests amongst the genuine ones. So, one of the features of a phishing email is that they look legitimate – very real, as though they come from bona fide institutions or companies, or topics that are related to you and your work or interests.
For 20 years or more, the IT industry has sent links and attachments, so of course we are habitually inclined to open things. The problem is, we can’t see what’s beneath the link. So just because it looks normal doesn’t mean it’s safe – we really need to pay attention to what’s in our inbox to make sure we don’t open or click on anything that could be dangerous.
A lot of phishing emails try to impart a sense of urgency. So, whenever you see that, you need to be on your guard. A ‘limited time offer’ or a ‘one-time only discount.’ Why does this approach work? And why do we see it so often?
Urgency has a stress impact. If we go back to prehistoric times, in our ‘lizard’ brain – developed very early on in our evolution – we react when we get stressed. Cortisol is our stress hormone, and when it kicks in, your body reacts to ‘fight, flight or freeze’. Blood will move to your extremities and your cognitive abilities go down. So, you start focusing on what you need to do quickly instead of focusing on ‘Where did this email come from? Is it realistic or relevant to me?’
So the sense of urgency drives us to act quickly, and that means we don’t pay proper attention. This plays straight into any criminal’s hands – they want you to react straightaway.
Another feature – curiosity – does a similar thing. It innately draws us in to do something or to find out more, creating an element of tunnel vision and making us want to have a closer look. As humans, we have a drive for filling the gaps in our knowledge or experience, and so when we see an opportunity to investigate something new, we’re likely to take it.
This is a fascinating area of psychological study. As part of my work in cyber security, I have run a number of phishing campaigns within organisations – designed to show people on a practical level just how easy it is to be taken in. When we asked people why they had clicked on the email, even though it was reasonably obvious it was a fake, they said: “I was curious.” Or even: “This is probably dodgy, but I will just have a look.”
So curiosity is a powerful force – it’s used all the time by advertisers – and cyber criminals will use it because it works.
Want to know more?
I regularly speak on how we can understand the way hackers work, and how we can use psychology to beat them. If you’d like to know what the other 5 signs of a phishing email are, and how you can spot them, you can book me to speak to your group or at your event. If you’d like to chat about using Psybersafe in your business to help to stay cyber secure, contact us today.
You can also to find out more about how our training works, by watching our demo.
Sign up for our newsletter for regular cyber security tips and advice, and to find out more about our unique behavioural science based online cyber training.
|Mark Brown, is a behavioural science expert with significant experience in inspiring organisational and culture change that lasts.|