The psychology of phishing attacks

We’re excited to bring back Transform 2022 in person on July 19 and virtually from July 20-28. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Register today!


In cybersecurity, the human condition is the most frequent and easiest target. For threat actors, exploiting their human targets is usually the easiest fruition instead of developing and deploying an exploit. Therefore, adversaries often target an organization’s employees first, usually through phishing attacks.

Phishing is a social engineering attack in which threat actors send fraudulent communications, usually emails, that appear to come from a trusted source and give the reader a sense of timeliness. The FBI’s 2021 Internet Crime Report analyzed data from 847,376 reported cybercrimes and found a sharp increase in the number of phishing attacks, from 25,344 incidents in 2017 to 323,972 in 2021.

The growing sophistication of phishing

Early email phishing attacks typically involved a poorly worded fraudulent message to trick users into sending money to fraudulent bank accounts; they have since evolved into sophisticated and well-designed social engineering attacks. In today’s digital world, everyone knows that phishing is bad, but trust is still the main driver of these attacks. Threat actors seek out their targets; they examine public employee profiles and assignments, vendor relationships, and whether an organization’s human resources department uses a specific type of portal to transmit information. The basis for all of these potential phishing attacks is the implicit trust employees have in the pre-existing relationship.

The common nature of these attacks does not reduce their dangerousness. Verizon reported that phishing was the initial attack vector in 80% of reported security incidents in 2020 and was one of the most common vectors for ransomware, a malicious malware attack that encrypts data. Phishing was also the entry point for 22% of data breaches in 2020.

In addition to the implicit trust of coming from a known sender, a successful phishing email exploits the emotions of the reader, creating a sense of urgency by applying just enough pressure to deceive an otherwise diligent user. There are various ways to exert pressure to influence otherwise reasonable employees. Spoofed emails that appear to come from someone in a position of authority use the leverage that bosses and departments such as HR have against the reader. Social situations such as reciprocity, maybe helping a co-worker, and consistency, paying your supplier or contractor on time to maintain a good relationship, can also lead the reader to click on a link in a phishing email.

According to Tessian Research report Psychology of Human Error 2022, a follow-up to their 2020 report with Stanford University, 52% of people clicked on a phishing email because it looked like it was from a senior company executive, compared to 41% in 2020. Additionally, employees were more prone to error when fatigued, something threat actors regularly exploit. Tessian reported in 2021 that most phishing attacks are sent between 2 p.m. and 6 p.m., the crisis after lunch when employees are most likely to be tired or distracted.

Employees may be hesitant to report the phishing incident after realizing they acted out of trust and were duped. They are likely to feel bad and may even fear retaliation from their organization. However, reporting the incident is the best case scenario. Having employees fall victim to phishing attempts and sweeping them under the rug is how a cyber event can turn into a full-scale cyber incident. Instead, organizations should create a culture where cybersecurity is a shared responsibility and foster an open dialogue about phishing and other cyber threats.

Cybersecurity is hard, but learning it doesn’t have to be

Organizations that are successful in discussing cybersecurity make the topic accessible and accessible to all employees. To facilitate open dialogue, organizations should employ a defense-in-depth strategy; it is a combination of technical and non-technical controls that reduce, mitigate and respond to cybersecurity threats. Security awareness training is only one piece of the defense-in-depth puzzle. To truly build a robust security program, many different mitigating controls need to be introduced into a company’s environment.

Annual security awareness training does not adequately address the human element exploited by phishing attacks. An example of an engaging training program is that of security awareness organization, Curricula, which uses behavioral science techniques like storytelling to impact employee training. The goal of Curricula’s storytelling approach is to impact employees and enable them (or influence them, to borrow from threat actors) to remember and recall information for use in real world scenarios. Their approach has merit — a Reported customer resume that after launching a phishing simulation and training program, they saw a reduction in click-through rate from 32% to 3% among more than 600 employees in six months.

When properly armed with tools, knowledge, and resources, previously distracted and disengaged employees can be your best line of defense – a human firewall against phishing, ransomware, and malware.

To be successful, management must be involved in the process — and the training

Part of understanding the human condition is understanding that you will need the budget and tools to secure the technical resources that prevent, mitigate, and transfer digital risk to optimize your security culture. Organizations can feel a false sense of security when passing a security audit or certification. Yet, as recent years have shown, digital risks are constantly evolving and threat actors will not hesitate to take advantage of national or global tragedies to turn cybercrime into profit. Threat actors routinely target organizations for their poor technology choices and disregard factors such as industry, size, or the type of data they are protecting.

Additionally, C-level executives are not immune to successful phishing attacks. Spear phishing or whaling attacks target specific organizational executives. In 2017, it was announced that two technology companies, widely assumed to be Google and Facebook, was the victim of a $100 million spear-phishing attack. US attorney Joon Kim called the event a wake-up call that anyone could be a victim of phishing.

The digital economy continues to transform at a rapid pace. IDC reportedthat by 2023, 75% of organizations will have comprehensive roadmaps for implementing digital transformation, up from 27% today.

For organizations to truly thrive and withstand the next phase of digital risks that will accompany these transformations, they must first create a strong culture of security and equip employees with the tools to recognize, respond to, and report phishing attacks and others. Additionally, layering the right tools such as multi-factor authentication, endpoint detection and response, and even a strong cyber insurance partner can create a layered defense-in-depth strategy. This layered defense approach will help organizations prevent a cyber event such as phishing from escalating into a business-disrupting cyber incident such as a data breach or ransomware attack.

Tommy Johnson is a cybersecurity engineer at Coalition.

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including data technicians, can share data insights and innovations.

If you want to learn more about cutting-edge insights and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.

You might even consider writing your own article!

Learn more about DataDecisionMakers

Comments are closed.