The Psychology of Phishing

Posted by:

|

On:

|

But I’m smart! How did I get hacked? 

Whether cognizant of our actions, or not, we all use forms of social engineering in our everyday lives.  Perhaps you praise a child to reinforce good behavior.  Did you unconsciously curate your social media to present only what you want others to see and therefore think about you?  Or maybe you mustered a not so sincere laugh at one of your boss’s jokes thinking that it would gain you favor, or at least not make you an outsider.  Let’s face it, navigating these social norms is part of our daily lives, and like anything, these social interactions can be hacked. 

Employed by the con artist for generations, psychological manipulation allows malicious actors to formulate situations and convince others to act outside of otherwise rational thought.  Although con artists can be found in all walks of life, our growing digital presence over the last thirty years has provided a new frontier.  Yes, we are talking about Phishing! 

Let’s take a trip down memory lane. Phishing first reared its ugly head in the mid-90s, targeting early internet users with cheesy AOL messages asking for their account details. Back then, phishing was as subtle as a neon sign saying, “Free Money!” You knew it was a scam the moment you saw it. Fast forward to the early 2000s, and phishing got a makeover. With the rise of more sophisticated email clients, scammers got fancy, using emails that looked like they came straight from your bank’s CEO—if your bank CEO used Comic Sans, that is. This was also when spear phishing was introduced, which is just a fancy way of saying, “I’m not just fishing; I’m targeting tournament level bass that would make Kevin VanDam jealous.” By the 2010s, phishing diversified its portfolio with “vishing” (voice phishing) and “smishing” (SMS phishing). If phishing were a TV show, it would have gone from a low-budget pilot to a high-stakes drama with special effects. Nowadays, with the introduction of artificial intelligence, phishing is as sophisticated as a James Bond villain’s lair, using personalized attacks that make you question if you really do owe money to the IRS. 

So why does it work so well?  Phishing works because it taps into some fundamental psychological principles, each one more devious than the last: 

Authority: In his 1984 book, Influence: The Psychology of Persuasion, Robert Cialdini explains how people are more likely to comply with requests from perceived authorities. This technique is basically the reason we’re more likely to listen to someone in a lab coat than our neighbor in a bathrobe. It’s like the universe’s way of saying, “Hey, if someone’s got a fancy title or a snazzy uniform, they must know what they’re talking about!” This principle is so powerful that it’s used everywhere from advertising to political speeches, where the phrase “trust me, I’m a doctor” is almost as effective as actually being one. For instance, studies like Stanley Milgram’s infamous 1963 experiment reveal that people are shockingly (pun intended) willing to follow orders from an authority figure, even when it means causing harm to others. Or consider those YouTube fitness gurus who promise you’ll lose 20 pounds in 30 days if you just purchase their fitness and nutrition program— clearly, their authority on “how to get ripped with this one simple trick” is unquestionable. Bad actors exploit this tendency, making emails and calls from “official” sources hard to ignore. So next time someone from your IT department calls unexpectedly, and asks you for information about your system, take a pause and consider whether you should answer. 

Scarcity: Phishing scams often create a sense of urgency, threatening dire consequences if you don’t act fast. Again, Cialdini explains that when people believe something is scarce, they’re more likely to act impulsively. Scarcity is like that last slice of pizza at a party—suddenly, everyone’s a pizza aficionado, and you’re left fighting off a ravenous crowd just to claim your share. This psychological principle plays on our primal fear of missing out, and malicious actors know it well. Take those “limited time offers” that flood your inbox; they’re less about actual scarcity and more about getting you to click on a link before you can think.  With one misplaced click and without even knowing, you open the door for the delivery of malicious software that can cripple a network or steal sensitive data.   So, again, pause and determine if that hyperlink you’re about to follow is as legitimate as it may appear. 

Social Proof:   Social proof is like that moment when you’re at a restaurant and notice everyone ordering the same dish—suddenly, you’re convinced it must be the culinary equivalent of a Michelin star dish, even if it’s just a glorified chicken nugget. Malicious actors exploit this principle by creating the illusion of mass approval to lure you into their trap.  From a digital perspective, attackers use familiar logos and names to create a sense of legitimacy. After learning about your organization, they will cite the names of your fellow coworkers leading you to believe in their legitimacy.  Cialdini shows that people follow these social cues, which allow malicious actors to turn a little bit of open-source information into a powerful tool of manipulation.  

Reciprocity: Reciprocity is like the unspoken rule at a potluck: bring a dish, and you’ll get a plate of someone else’s culinary experiment in return. Dennis Regan’s 1971 research on reciprocity reveals that people feel obligated to reciprocate when given something.  Malicious actors often find their way past defenses by offering free samples, friendly advice, or even unsolicited compliments to create a sense of obligation. Imagine receiving a free trial of a service you didn’t ask for, only to be bombarded with follow-up emails and a hefty subscription fee if you don’t cancel in time. Or think about those “free” gifts with a catch, like a supposedly free pen that comes with an urgent plea to buy a very expensive book.  Criminals use this principle by offering a “reward” to get you to hand over your personal information. It’s like a reverse trick-or-treat—except you’re not getting candy, just a headache. 

Emotional Manipulation: Emotional manipulation is like the emotional equivalent of a toddler’s tantrum—just with a lot more strategic plotting and less adorable cuteness.  Phishing preys on emotions like fear, curiosity, or excitement. Dijkstra and Pieterse (2008) found that strong emotional appeals can lead people to act irrationally. They might pull at your heartstrings describing their quest for love and fulfillment and the only thing getting fulfilled is the scammer’s bank account. Or they might use guilt trips, making you feel like a terrible executive if you don’t immediately buy their corporate profitability product. Sources like Paul Ekman’s research on emotional expressions show how easily our emotions can be manipulated. So next time someone’s tugging at your heartstrings, ask yourself: did you just find true love or are you just funding someone’s lavish vacation? 

 I know, I know.  This all makes sense on paper, but it can’t be that simple, right?  The alarming answer is “yes, and if you are so inclined, you can watch it all play out for yourself.  Every year at DEFCON, one of the largest and longest running security conferences, there is a competition to showcase one’s social engineering talents.  Social Engineering Capture the Flag (SECTF) pits competitors against one another in a real time competition to gather small amounts of data from an unsuspecting target over the phone.  The “flags” to be captured vary but may include what operating system is in use, how long a specific employee has worked for the company, or even details about the company’s third-party logistics.  All valuable information for an attacker to plan the best method of attack.    

After some advanced preparation, each competitor is given approximately 25 minutes to engage their target with nothing more than their notes, a phone, and of course their social engineering cunning.  Using a pretext, which is essentially a roleplaying backstory, the competitors methodically make their calls and surgically extract the required information from their unsuspecting targets.  Always wary of triggering suspicion, they execute a game of verbal cat and mouse as they rack up points for each piece of info they gather.  Truly an exhibition to behold, this demonstration is a sobering reminder of how easy it is to fall prey to such an attack. 

“So, if it’s that easy to manipulate me, I should just give up.”    Fear not, for you are now in a better place than when you started reading.  But let’s take it a step further and discuss some commonsense defense.   

Education and Awareness:  It is paramount that organizations implement regular training and awareness programs to educate individuals about phishing threats and detection techniques. The FBI’s 2023 Internet Crimes Report emphasizes that user education significantly reduces the risk of falling victim to phishing attacks by improving recognition and cautious behavior.  As any fan of 1980’s cartoons will tell you, “Knowing is half the battle”. 

Strong Authentication Methods:  Enforce multi-factor authentication (MFA) to add an additional layer of security. In a 2023 study titled, How Effective is Multifactor Authentication at Deterring Cyberattacks?, the authors show that MFA effectively mitigates the risk of unauthorized access, even if login credentials are compromised. Simply put, MFA acts as a secondary barrier to prevent unauthorized access.   

Email Filtering and Security Software:  Invest in advanced email filtering and security solutions to detect and block phishing attempts. The 2023 CISA report highlights the efficacy of sophisticated filtering systems in reducing phishing success rates by intercepting fraudulent communications before they reach users.   

Regular Software Updates and Monitoring:   Regularly apply updates and patches provided by software vendors to address vulnerabilities and fix bugs, scheduling automatic updates where possible to ensure timely application. Maintain an organized inventory of all installed software and firmware to track their update status and prioritize critical updates. Utilize a centralized update management system to streamline the process across multiple devices and conduct periodic security assessments to verify that updates are effectively implemented. Enable notifications for new updates and review them before installation to avoid any compatibility issues. Additionally, leverage cybersecurity experts to augment your defenses and address organizational risk.   

Verification Protocols: Establish robust procedures for verifying the authenticity of requests for sensitive information. Verification protocols help ensure that requests are genuine before any sensitive information is disclosed.  You wouldn’t share your personal info with just any random person for fear of compromise. The same level of verification needs to be applied to business communication systems. 

You did it!  You used your limited and valuable time to educate yourself and become more aware of the consistent threat of social engineering.  You should be very proud of yourself.  As a reward, we are going to send a gift to the first 50 readers that respond.  All we need to ship you this limited time offer is a current mailing address, the name of your first pet, and the street you grew up on.   

References: 

  • Milgram, S. (1963). Behavioral Study of obedience. The Journal of Abnormal and Social Psychology, 67(4), 371–378. 
  • Regan, D.T. (1971). Effects of a favor and liking on compliance. Journal of Experimental Social Psychology, 7(6), 627-639. 
  • Internet Crime Compliant Center (2023). Internet Crime Report 2023 
  • https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf
  • Meyer, Romero, Bertoli, et al. (2003) How effective is multifactor authentication at deterring cyberattacks? arXiv:2305.00945 https://arxiv.org/pdf/2305.00945