Phishing attacks are on the rise, posing a growing threat to individuals and organizations alike. The malicious attempts to acquire sensitive information such as usernames, passwords, credit card numbers, and other personal data have become increasingly sophisticated over the years. As cybercriminals become more adept at impersonating legitimate companies or people in order to gain access to confidential information, it is becoming increasingly important for individuals and organizations to understand the psychological implications of these attacks. By understanding how attackers employ psychology in phishing attempts, we can better protect ourselves from this growing threat.
This article will explore the use of psychology in phishing attacks, including elements such as social engineering, trust building, and emotional manipulation.
What is a phishing attack?
A phishing attack is a common type of social engineering attack where attackers disguise themselves as credible sources in order to acquire sensitive data such as login details and credit card information from unwitting victims. This is achieved by sending links via email or instant messaging which when opened directs the victim to enter their credentials on what appears to be an authentic website page; however, the entered information goes directly into the hands of the attacker instead.
See more about the types of phishing attacks
Rise in phishing scams
A recent report from IBM states that in 2022, the most common cyberattack methods were compromised credentials (19%) and phishing attempts (16%). This highlights the need for individuals to remain vigilant with their online security.
On average, phishing inflicted the most significant damage at US$ 4.91 million, followed by business email compromise at US$ 4.89 million. All these facts indicate that enterprises must alert employees about phishing attacks.
How do hackers get us to click phishing emails?
Even though many professionals and educated users think they are savvy in cyber hygiene, their overconfidence or apathy frequently results in them falling prey to phishing traps. Even after taking rigorous corporate training courses on cyber safety, they often become victims of phishing attacks.
One of the primary techniques attackers use to manipulate victims is called ‘amygdala hijack’. It is based on exploiting the victim's emotional state, and typically involves using fear, urgency or curiosity as triggers to prompt someone into action. The attacker will use language that creates a sense of panic or anxiety in the victim in order to get them to click before their brain has a chance to think about their actions logically. This works because emotional information travels directly to the amygdala without passing through the areas that are responsible for logic and reason. This type of response is usually immediate and overwhelming.
This may not seem relevant to cyber hygiene but when you receive an urgent email from who you think is a trusted source, you may not take the time to carefully review everything about the email before taking action and clicking a button or link.
Psychological factors responsible for a successful phishing attack
There tends to be 5 primary psychological factors that tends to get us to click links without processing all of the information : fear, stress, over confidence, authority and greed.
Fear: People may act impulsively out of fear if they believe that something bad will happen if they do not take the suggested action.
Stress: You may be experiencing a stressful day at the office and that can lead to wanting to clear your inbox as fast as possible - the result? You may not have read each email carefully and clicked on something in order to cross it off your 'to do' list.
Over confidence: Regardless if you've done the training and know what to look out for. Humans tend to be overly confident in their ability to avoid scams but if someone is targeting your amygdala - you may still be susceptible.
Authority: Generally people tend to comply without too much questioning if the request comes from a trusted figure or one of authority. Attackers will use this tactic by pretending to be a trusted company or a manager to get you to do something. If your boss emails you asking you to buy gift cards because they are busy and it seems out of the ordinary - it probably is. It's best to check with your boss directly to confirm that they did indeed make the request.
Greed: Greed is a strong word but at the end of the day, people are suckers for a deal. If you see a deal that seems to be too good to be true, it probably is.
What can you do to prevent phishing attacks?
Before clicking on any links, take a moment to look carefully at the email. Does the from email address, content, signature, etc look legitimate?
Enable multi-factor authentication whenever possible
Use adaptive or risk-based authentication techniques for corporate email addresses
Implement remote browser isolation techniques to prevent the execution of malicious codes, phishing pages, or any browser-based attacks.
Enable "safe browsing" and "enhanced protection" in browsers so that the browser can repel malicious web pages.
Phishing attacks prey on our emotional state so we need to pay attention and treat every email like a potential phishing email. Be aware of the psychological factors that make us more susceptible to these types of attacks. Take a few moments to look at the email carefully, double check with trusted sources if the request seems odd and always use multi-factor authentication when possible. By doing this you can help protect yourself from falling prey to phishing attacks.
Are you looking to run a phishing exercise with your employees? Talk to the Packetlabs team today to run a simulation!