Phishing emails have been used by cybercriminals to steal the data and identities of their victims for decades, so why do people still get fooled, and what can be done to reduce the number of breaches?
What are the methods of persuasion cybercriminals use when phishing?
This is one of the most used and successful methods of persuasion found in phishing emails. Phishing emails containing authority prey on the fact that humans are trusting of the opinions of experts and will use this as a shortcut to decision-making. These emails come from senders in powerful positions such as company CEOs or possibly displays of awarded accolades and accreditations.
Another powerful persuasion technique regularly used to build urgency. Such as stating there is ‘only 24 hours to update system details or the account will be suspended’. Humans want the things they cannot have so social engineers will limit the quantity of time within their emails to motivate recipients into quick action.
Commitment and Consistency
Cybercriminals also use commitment and consistency by naming recipients as customers or readers leaving them with the need to remain consistent with their previous decisions even if the claims are not true.
Liking and Similarity
This is an approach that sits in the middle of both usage and success rate, using rapport and compliments to get recipients to carry out their suggested threat action. This can be seen in phishing emails from potential LinkedIn connections who compliment your work and suggest they have similar areas of interest.
Includes offers of ‘free gifts’ or ‘discounts’ in return asking recipients to interact with links or attachments. Humans feel the need to repay debt, so if a gift is offered the recipient will feel impelled to conduct the threatening action. While reciprocity may work well in a home-based context the offer of free gifts may appear out of place in the workplace.
Less used now, and less successful. It is, however, making a comeback but using a more subtle technique. Social proof relies on humans following the lead of others to whom we are associated with. Previously emails containing social proof would state ‘80% of people found a product to be useful’. Now, phishing emails ask recipients to forward an email to peers that may be interested, with the recipient, in turn, becoming social proof to those they email.
Cybercriminals use this method to move targets outside of an email to learn more. While the curiosity technique is regularly used, its current success rate is low. This is potentially due to using a simple method that is easy to deploy e.g. just sending a link but in the hope that at least some percentage will catch the bait.
Despite humans processing decisions consciously only five percent of the time, most cybersecurity awareness, education and training programmes assume employees to be in rational mode when making cybersecurity decisions.
Awareness programmes need to start considering the other 95 percent, by helping employees build alternative decision-making strategies that over time they can form into habits. These tools help staff learn to habitually check for clues when a cybercriminal throws a grenade of persuasion techniques at them, even before authority has registered.
FUEL has partnered with leading cybersecurity company OutThink to include its award-winning human risk management platform as one of the software solutions it offers clients.
OutThink received the highest possible score from ratings body Gartner Peer Insights, as well as a Seal of Excellence award from the European Innovation Council.
To find out how the OutThink Cybersecurity Human Risk Management platform can raise awareness, drive more secure behaviours, and increase motivation across your organisation please get in touch with us at email@example.com.