Psychology of the Click: Techniques Phishing Attackers Use to Lure You in
Morgan Cyber. Reading time: 4 mins
Phishing attacks and social engineering are among the most well-know and established techniques in the attacker playbook, but there are good reasons why they remain the #1 threat vectors for organisations…
Why Phishing Attacks are so common
The simple answer is scale and accessibility. Every week, millions of workers around the world get emails, texts, Teams messages, and phone calls designed to trick them into making a mistake. These mistakes are how cyber-attackers often get initial access into networks.
Hacking into a well defended network without any credentials is hard and time consuming, even for skilled and well resourced attackers. Sending phishing emails by comparison is are cheap and easy to execute. While they require little technical skill, they remain quite effective in terms of results.
Technologies do an excellent job in filtering out a majority of these threats before they get a chance to influence a target. However, according to the 2024 Verizon Data Breach Investigations Report, over one in three data breaches are still caused by phishing attacks.
In what may be considered ‘traditional cybersecurity’, technology is king, accounting for 97% of budgets according to IDC. Spending on the ‘human layer’ of cybersecurity by contrast (helping employees spot and report phishing emails) accounts for just 3% of budget. However, despite this spend on technology, and the rate of its advancement, threat actors are still getting through, and they are doing it by successfully targeting people.
The Role of Psychology in Phishing
The psychological underpinnings of phishing have not really changed since unscrupulous people started to steal, defraud, and con their way to ill-gotten gains centuries ago. Back then, the best were masters at manipulating and exploiting human emotion, and not much has changed bar the delivery method and scale on which they operate.
This is because emotion is not binary like a hardware or software vulnerability. It is unpredictable, changing quickly based on range of factors often outside our control. The best phishing adversaries today, like their contemporaries years ago, have a deep understanding of the academia of human emotion, and use it constantly in their tactics. A trait of the most secure organisations is that they help their employees spot these tactics through effective training and awareness programs.
Lets unpack the most common psychological plays phishing attackers use to make their communications convincing. It is also important to note that they will often try to ‘layer’ their communications, using multiple triggers to try and move the target out of their rational comfort zone, which is how mistakes are made.
1. Hyperbole:
“Get a £500 Amazon voucher when you give us your feedback”
As the old saying goes: If an offer sounds too good to be true…but when inserted into a familiar environment, or sent to you by what looks like a long standing supplier, possibly in the weeks before Christmas… the temptation to click may rise a notch or two.
2. Habit:
“Please see attached the July Sales Report”
Not the most exciting tactic, but if you are used to receiving something regularly it is only natural you guard will be lower. Attackers take advantage of obvious timings; managers will expect to see ‘monthly report’ emails circulating in the first week of the following month, and after a great sales result, it’s understandable the higher performers to want to see those results confirmed in writing…
3. Authority:
“I need you to action this right away”
People tend to attribute a greater accuracy or urgency to the opinion or request of an authoritative figure. In the context of the workplace, this could include a manager, department head, or even the CEO.
Authority can be especially dangerous because it is very easy to combine with urgency, and rushing to complete a task is exactly the type of behaviour attackers are trying to foster to cause a mistake.
4. Fear:
“Your section of the bid document is wrong and we have to submit it before the end of the day”
Being told you have done something wrong, particularly when it has significant consequences for others creates strong feelings of guilt and anxiety. Wanting to do everything possible to help rectify the situation as quickly as possible (our friend urgency appearing again) is a natural reaction.
5. Optimism:
“Pay reviews will commence next month, make sure you have provided us with your achievements for the year”
Good news such as notice of pay reviews landing in your inbox will grab attention. These types of emails are often combined with convincing timing, such as the end of a calendar or financial year when companies typically announce pay rises or bonus schemes.
6. Curiosity:
“This acquisition announcement is embargoed until 7am tomorrow”
Have you really been trusted with confidential information? Again, if it is combined with the appearance of coming from a senior figure within the company then it’s another convincing hook, tugging at your trust and perceived seniority strings. However, in reality employees who do not need to know are not told about these kinds of events ahead of time.
Protecting Your Teams From Social Engineering
It’s not an easy task. Adversaries are relentless, clever, and well-resourced, but there are actions that can be taken to improve the effectiveness of your ‘human layer’.
· A security awareness training program can be implemented at a reasonable cost and there is plenty of data to show it’s impact in helping reduce the number of employees who click dangerous links. In fact, according to Gartner, organisations with security awareness training in place see a 70% reduction in social engineering attacks.
· Encourage a culture of verification and highlight success. It may add time to a task, but as a leader it is important to let your teams know that taking the time double check anything they are unsure about is a positive behaviour. If an employee does successfully detect a phishing email, don’t hide it. By spreading the word you will improve confidence within your team to take action again in the future.
· Make it easy to report phishing emails. So a member of your team has correctly identified a phishing email, great. Now what? Who do they tell? Tools like KnowBe4’s dedicated ‘Phish Report’ button sits within the Outlook ribbon, so suspected phishing emails can be reported in one click, immediately alerting your security teams in the process.
· Enable multi-factor authentication (MFA) so even if attackers have been able to acquire credentials, you have an extra layer of defense in place.
Contact:
Morgan Cyber Solutions
