Phishing scams continue to be one of the leading forms of cyberattacks experienced by businesses. In fact, a ransomware attack that targeted Quickbooks cloud hosting firm in July is now believed to have started with a phishing campaign. And according to Proofpoints’s 2019 State of the Phish Report, 83% of respondents said they experienced a phishing attack in 2018 — a 7% increase from 2017. These attacks can be costly. Phishing schemes can lead to financial costs such as fraudulent wire transfers and fines but can also damage a company’s reputation. After all, who doesn’t know how to spot a phish?
Well, real reason phishing is so successful isn’t as simple as all that. Fundamentally, these are a form of attack that focus less on technical vulnerabilities and more on exploiting the weakest link in any security system: us. Phishing scams have been around for a while, so the scammers have had a long time to hone their craft. As such, they’ve developed complex methods that target human behavior and manipulate us into lowering our defenses.
Recipe for a Successful Phish
One article published by the Open Journal of Social Sciences published and titled “A Study of Social Engineering in Online Frauds” dives deep into the human factors that make phishing schemes so successful. In the paper, the authors pinpoint several effective “triggers.” Of these, three of the most prominent are:
One method scammers use is to impersonate a person or institution that has authority. This includes using markers such as government agencies or professional titles. Scammers also use “official” sounding language create legitimacy, trust, and credibility.
Another successful tactic is to create a sense of urgency. Such emails include urgent language to stress the need for prompt response, and will often say there are negative consequences for no or delayed responses.
Phishing scams will also try to provoke fear in the victim. Sometimes these emails will leverage current issues such as natural disasters, health epidemics, or economic concerns. Other times, they will threaten the victim with account suspension or deletion if they don’t take action.
A Case in Point
One real-world example from a few years ago combined all three of these triggers to successfully target their victims. In 2009, during the height of the swine flu scare, a scammer sent out emails imitating Center for Disease Control and Prevention asking people enter their personal information to create a vaccination profile. The scam used the authority of the CDC and played on the public fear and sense of urgency about the swine flu to successfully steal personal information.
We’d like to believe that we’re smart enough to identify fake emails, but the truth is scammers are using social and behavioral techniques to stop us from using our better judgement. The best way to combat this is to train yourself and your employees on the latest phishing tactics and use due diligence when receiving unprompted emails. By taking simple steps like ensuring the sender’s email address is correct, checking the URL of any links before clicking them, and carefully reading the email can save your company money and the public embarrassment that comes with falling victim to such a common form of attack.
Also published on Medium.