The Psychology of Falling for a Phishing Email

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow

Phishing is a cybercrime that has been around for many years, where targets are sent malicious emails claiming to be from a legitimate individual or organization to trick them into disclosing their sensitive information. Phishing emails remain a major threat today, however despite increased awareness of the cybercrime, cybercriminals continue to fool their targets into their traps, thus successfully carrying out these attacks. How do these attackers continuously find success in tricking their victims? The answer may lie in human psychology.

Marika Samarati, writer of The psychology behind phishing attacks believes that phishing is, “the act of psychologically manipulating people into performing actions or divulging confidential information for malicious purposes.”

How Do Cybercriminals Successfully Phish Their Targets?
Samarati believes that for a phishing attack to be successful, the cybercriminal needs to rely on the target being manipulated more than the technical skills of the criminal. In his argument, for the target to take the bait and ultimately fall for a phishing scam, a cybercriminal must understand human nature to determine how they will behave and react to the email. By understanding what content will gain the desired reaction from the target, the criminal can choose the best course of action in how they will approach them.

Samarati provides his insight as to how cybercriminals maximize the success of a phishing email:

  • They send it when people are more vulnerable and stressed – late in the afternoon, on Fridays or at the end of the month, for instance.
  • They spoof C-suite managers’ email addresses to make sure low-level staff do as requested without arousing suspicion.
  • They take advantage of real-life events, like tax return deadlines, etc.
  • They use fear tactics and urge the recipient to act promptly.

Who’s a Target?
When it comes to who is a target for a phishing email, the possibilities are endless. Phishing comes in several forms and targets everyone, from low-level employees to CEOs and other top executives.

In a spear-phishing attempt, the cybercriminal has a target in mind, whether that be an individual or an organization. Spear-phishing emails pose a tremendous threat because unlike random phishing attempts, these malicious emails generally look more legitimate and are crafted with your personal information or interests in mind.

BEC Scams
Business Email Compromise (BEC) scams, target CEOs, top executives, or managers from organizations to spoof their email accounts and ultimately attempt to make a victim out of lower-level employees. In a BEC scam, the cybercriminal typically does their research to find out who the CEO is and which employees they are going to target by sending them malicious emails appearing to come from their boss or company executives.

The Rise in Phishing
According to the Symantec 2018 Internet Security Threat Report, 71% of all targeted attacks last year started with spear-phishing, making it the most widely used infection vector. Not only are phishing attacks increasing, but they are also evolving. Using Samarati’s approach as an explanation, the increase, and evolvement of phishing emails may be a result of cybercriminals developing a firmer understanding of human psychology and how they can best be manipulated.

Are Your Employees Putting Your Organization at Risk?
Educating your staff about phishing is crucial in protecting your organization. Employees should know what to look out for to spot a phishing email and how to avoid falling victim to one. In addition to training, running a simulated phishing attack to test your employees’ knowledge on how to spot a phishing email will help keep them on their toes and show you which employees need additional training.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.