Creating a Vaccine for Phishing Attacks

Creating a Vaccine for Phishing Attacks

Another day another phishing story.  According to reports a scammer recently sent out emails to a Texas school district posing as one of the district’s vendors and requested a series of payments. One month later, the district realized they had been conned out of $2.3 million. 

Unfortunately, stories like these are increasingly common 

Not unlike propaganda, social engineering and phishing campaigns are forms of attack that rely primarily on deception and disinformation. Defending against these attacks therefore requires more than technical defenses. Instead, it’s necessary to look at strategies used to combat disinformation in general.  

A Vaccine for Social Influence

Inoculation theory is one such strategy and has been gaining steam recently. The main premise of the theory is that the best way to defend against manipulation and unwanted influence is through exposure to the influence in a smaller, weaker form. Exactly like a vaccination.  

In general, the application of inoculation theory involves three basic elements: 


The first step is so obvious that it’s can be easy to overlook. If you want to defend against a threat, you first need to be aware that the threat exists.  For instance, if your employees don’t know what a phish is, they are far more likely to get tricked by oneOne study found that the simple awareness that a threat exists increases the ability to combat it, even when they weren’t given the tools to fight it.  

Refutational Preemption

Refutation preemption is a fancy phrase, but, in the metaphor of the vaccine, it simply stands for the weak strain of a virus or threat. The idea is to introduce someone to faulty messaging that stands in opposition to what they usually hold to be true. By being exposed to a weaker version of the messaging, the person receiving the message will be able to learn how to argue against it and strengthen their own beliefs. Then, when they encounter a similar but stronger message in real life, they will have already developed the tools needed to combat it.  

Within the context of phishing schemes, this would involve presenting someone with examples of phishing emails asking them to identify the methods used that make the email seem real. Another method is to have participants create their own phishing emails to get them to know what is involved in creating a deceptive message.


The final element of the theory simply states that the more someone cares about an issue, the easier it will be for them to defend against a threat to that issue. So, when it comes to phishing, if your employees understand and care about the stakes involved with a phishing attack, they will be in a better position to spot them. Essentially, the more vested interest someone has in defending against an attack, the easier it will be for them to do so successfully.  

Putting Inoculation Theory into Practice

With the rise of socially engineered threats, inoculation theory has seen a bit of a resurgence lately. For instance, researchers at Cambridge University created the simulation Get Bad News, a game that uses inoculation theory to combat false or misleading news articles.  

And it doesn’t take a big leap to see how inoculation theory can be useful for cyber security threats, such as phishing campaigns. By combining education with simulated phishing attacks, businesses can use inoculation theory to: 

  1. Using education tools to raise employees’ awareness of the threat phishing attacks pose. 
  2. Expose employees to simulations of phishing attacks and have them proactively respond to it by reporting potential phish. You can even have employees create their own phish. Like Get Bad News, this will further inform participants of common tactics used in social engineering schemes.  
  3. Create a program that keeps employees engaged in the process. Focusing on positive reinforcement over punishing mistakes, for example, will help encourage participants to take the process seriously. 

Inoculation Theory At Work

Our digital awareness program The Phishmarket™uses inoculation theory in various phases throughout the program. Our phish simulations uses a reporting feature that empowers participants to be actively involved in combating phishing attacks and rewards progress instead of punishing mistakes. 

The Phishmarket™ also includes an online training program that uses daily micro-lessons to teach participants about common and emerging methods used in social engineering schemes. Some of the micro-lessons even asks users to try creating their own phish.  

Want to try it out for yourself? Simply follow this link to test out a preview of the training program and create your very own (fake) phishing campaign.  

Why We Get Phished

Phishing scams continue to be one of the leading forms of cyberattacks experienced by businesses. In fact, a ransomware attack that targeted Quickbooks cloud hosting firm in July is now believed to have started with a phishing campaign. And according to Proofpoints’s 2019 State of the Phish Report, 83% of respondents said they experienced a phishing attack in 2018 — a 7% increase from 2017. These attacks can be costly. Phishing schemes can lead to financial costs such as fraudulent wire transfers and fines but can also damage a company’s reputation. After all, who doesn’t know how to spot a phish? 

Well, real reason phishing is so successful isn’t as simple as all that. Fundamentally, these are a form of attack that focus less on technical vulnerabilities and more on exploiting the weakest link in any security system: us. Phishing scams have been around for a while, so the scammers have had a long time to hone their craft. As such, they’ve developed complex methods that target human behavior and manipulate us into lowering our defenses.  

Recipe for a Successful Phish

One article published by the Open Journal of Social Sciences published and titled A Study of Social Engineering in Online Frauds” dives deep into the human factors that make phishing schemes so successful. In the paper, the authors pinpoint several effective “triggers.” Of these, three of the most prominent are:  


One method scammers use is to impersonate a person or institution that has authority. This includes using markers such as government agencies or professional titles. Scammers also use “official” sounding language create legitimacy, trust, and credibility. 


Another successful tactic is to create a sense of urgency. Such emails include urgent language to stress the need for prompt response, and will often say there are negative consequences for no or delayed responses.  


Phishing scams will also try to provoke fear in the victim. Sometimes these emails will leverage current issues such as natural disasters, health epidemics, or economic concerns. Other times, they will threaten the victim with account suspension or deletion if they don’t take action. 

A Case in Point

One real-world example from a few years ago combined all three of these triggers to successfully target their victims. In 2009, during the height of the swine flu scare, a scammer sent out emails imitating Center for Disease Control and Prevention asking people enter their personal information to create a vaccination profile. The scam used the authority of the CDC and played on the public fear and sense of urgency about the swine flu to successfully steal personal information.  


We’d like to believe that we’re smart enough to identify fake emails, but the truth is scammers are using social and behavioral techniques to stop us from using our better judgement. The best way to combat this is to train yourself and your employees on the latest phishing tactics and use due diligence when receiving unprompted emails. By taking simple steps like ensuring the sender’s email address is correct, checking the URL of any links before clicking them, and carefully reading the email can save your company money and the public embarrassment that comes with falling victim to such a common form of attack.