By Laura Bishop, Director of Human Risk Science at OutThink
Phishing emails have been used by cybercriminals to steal the data and identities of their victims since the 1990s, so why are we still interacting with them and what can be done to try and reduce the number of breaches they cause?
We live in a world where simultaneous decisions need to be made at any given time, yet we only fully process a small number of them. So, what do we do?
We use previously acquired rules of thumb to process around 95% of these decisions saving brainpower for the ones we deem more important. This quick, less rational, way of thinking can have its benefits, but it is also prone to error.
Social engineers are aware of this error and generate emails that contain information that persuades us to utilise the rules of thumb acquired. They know that if we process their email more consciously, we may uncover clues that will tell us the communication is malicious.
In 1984 when the psychologist Cialdini printed a book detailing six original methods of persuasion utilised by salespeople and marketeers (my recent research also noting a 7th — curiosity), phishing didn’t exist. Fast forward a decade and these social engineering tactics are still at the root of why phishing emails have the success rate they do today.
What are the methods of persuasion cybercriminals are using and what can we do to try and reduce their effect?
- Authority — is one of the most utilised and successful methods of persuasion found in phishing emails. Phishing emails containing authority prey on the fact that humans are trusting of the opinions of experts and will use this as a shortcut to decision-making. These emails come from senders in powerful positions such as company CEOs or possibly displays of awarded accolades and accreditations.
- Scarcity — is another powerful persuasion technique regularly used to build urgency by stating there to be only 24 hours to update system details or the account will be suspended. Humans want the things they cannot have so social engineers will limit the quantity of time within their emails to motivate recipients into quick action.
- Commitment and consistency — cybercriminals also often use commitment and consistency by naming recipients as customers or readers leaving them with the need to remain consistent with their previous decisions even if the claims are not true.
- Liking and similarity — is an approach that sits in the middle of both usage and success rate using rapport and compliments to get recipients to carry out their suggested threat action. This can be seen in phishing emails from potential LinkedIn connections who compliment your work and suggest they have similar areas of interest.
- Reciprocity — is also ‘middle of the road’ in relation to usage and success rate with offers of ‘free gifts’ or ‘discounts’ in return asking recipients to interact with links or attachments. Humans feel the need to repay debt, so if a gift is offered the recipient will feel impelled to conduct the threatening action. Whilst reciprocity may work well in a home-based context the offer of free gifts may appear out of place in the workplace.
- Social proof — less used nowadays as well as appearing less successful. It is however potentially making a reappearance but using a more subtle technique. Social proof relies on us as humans following the lead of others to whom we are associated with. Previously emails containing social proof would state that 80% of people found a product to be useful. Now phishing emails are asking recipients to forward an email to peers that may be interested, with the recipient, in turn, becoming social proof to those they email.
- Curiosity — cybercriminals use this additional method to move you outside of an email to learn more. Whilst the curiosity technique is regularly used by cybercriminals its current success rate is low. This is potentially due to using a simple method that is easy to deploy e.g. just sending a link but in the hope that at least some percentage will catch the bait.
Each of Cialdini’s original six weapons of influence plus curiosity is laced throughout phishing emails in a bid to make recipients act quickly and not uncover the email’s malicious intent. They are also often combined to achieve the maximum effect, such as authority and scarcity appearing in an email that features the CEO of a company requiring urgent help.
Despite humans processing decisions consciously only 5% of the time most cyber-security awareness, education and training programmes assume employees to be in rational mode when making cybersecurity decisions.
Awareness programmes need to start considering the other 95% by helping employees build alternative decision-making strategies that over time they can form into habits. These tools help staff learn to habitually check for clues when a cybercriminal throws a grenade of persuasion techniques at them, even before authority has registered.
This year, FUEL partnered with OutThink, a UK cybersecurity company, to include its award-winning human risk management platform as one of the software solutions we offer clients.
OutThink received the highest possible score from ratings body Gartner Peer Insights, as well as a Seal of Excellence award from the European Innovation Council.
Please feel free to get in touch with us to find out how OutThink can work for you.