The psychology of phishing

Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals no longer send out thousands of emails at random hoping to get a handful of hits, today they create highly targeted phishing emails which are tailored to suit their recipients.

While these emails can take more time and effort on the hackers’ side, there is no doubting the fact that provide a much bigger return on investment.

Cybercriminals understand that we are a generation of clickers and they use this to their advantage. They will take the time to create sophisticated phishing emails because they understand that today users can tell-apart spam annoyances from useful email, however they still find it difficult identifying phishing emails, particularly when they are tailored to suit each recipient individually.

As a result of this, over the last three years there has been a dramatic increase in the volume of targeted spear-phishing and long-lining fake emails, which are so sophisticated that they fool security software and humans alike into thinking they are genuine, and that the links are harmless, in fact they can link to malicious websites or pages on legitimate websites which criminals have manipulated to serve up malware.

The most shocking aspect is that fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department at a FTSE 100 company typically expects <2% click rate on their advertising campaigns. So, how are the cybercriminals out-marketing the marketing experts? The increasing pace of life coupled with mobile computing means that we are bombarded with messages, from more sources and across more devices than ever before – both in the office and at home. As a result our attention spans are getting shorter and we have become a generation of trigger-happy clickers. It is almost an automatic reaction, you open a new message, you decide within a few seconds if it seems relevant and meaningful-¦ if it is, you click the link, read the web page that pops up, close it and then and move on to the next message. In psychological terms humans are conditioned to click on links. Cyber-criminals leverage this by designing email themes most likely to trigger your automatic click response. Proofpoint’s Human Factor research recently showed that the most successful themes for email lures are Social Networking (preying on the human desire for social interaction and belonging), Financial Account Warnings and Order Confirmations (preying on the desire for financial stability) and Breaking News Stories (preying on human curiosity and compassion). However fake LinkedIn Invitations are by far the most dangerous achieving a click rate 4x that of any other type of email lure. This is big business. Longlining attacks use clever database marketing techniques to deliver targeted emails to thousands of staff across hundreds of companies within one or two hours. The emails contain a message that is personally relevant to most recipients, resulting in 1 in 10 people clicking on a link in the email that goes to a malicious website that looks harmless but can have total control over their PC in less than five seconds, without them or their company’s security software noticing anything is wrong. This is a real problem, for example at the end of last year one of these longlining campaigns infected an employee’s PC at a small company called Fazio Mechanical Services which supplied heating and ventilation units to a multi-billion pound retail company called Target. The cyber-criminals then attacked Target through Fazio’s network and stole the details of 110m individuals including 40m credit cards that Target had on file. Over the next several months Target’s CEO and CIO resigned as their profits fell by 46% and billions of pounds were wiped off their market capitalization as a result of the breach.” Individuals at home need to:
1. Understand that you are not being targeted specifically, you and your machine are just collateral damage.

2. Upgrade your computer from Windows XP (as Microsoft is no longer providing security updates to the OS) or disconnect it from the internet – it’s that dangerous.

3. Don’t use simple predictable passwords that are easy to crack. For example a dating website was hacked and approximately 10% of the passwords were “love1234”.

Businesses need to:
1. Put in place layered security to provide an in depth defense against the latest attacks and malware.

2. Run awareness campaigns with your staff telling them not to click on links within social networking emails such as LinkedIn invitations, instead open your browser or app, log-in and manage your invites/messages from there.

3. Deploy new technologies that combine big data security analytics with advanced malware analysis to provide predictive and click-time defense, end-to-end attack campaign insight and automated incident containment capabilities through connectors to your existing security layers.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss