The psychology of phishing
by Mark Sparshott - EMEA Director at Proofpoint - Wednesday, 23 July 2014.
Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals no longer send out thousands of emails at random hoping to get a handful of hits, today they create highly targeted phishing emails which are tailored to suit their recipients.

While these emails can take more time and effort on the hackers’ side, there is no doubting the fact that provide a much bigger return on investment.

Cybercriminals understand that we are a generation of clickers and they use this to their advantage. They will take the time to create sophisticated phishing emails because they understand that today users can tell-apart spam annoyances from useful email, however they still find it difficult identifying phishing emails, particularly when they are tailored to suit each recipient individually.

As a result of this, over the last three years there has been a dramatic increase in the volume of targeted spear-phishing and long-lining fake emails, which are so sophisticated that they fool security software and humans alike into thinking they are genuine, and that the links are harmless, in fact they can link to malicious websites or pages on legitimate websites which criminals have manipulated to serve up malware.

The most shocking aspect is that fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department at a FTSE 100 company typically expects <2% click rate on their advertising campaigns.

So, how are the cybercriminals out-marketing the marketing experts?

The increasing pace of life coupled with mobile computing means that we are bombarded with messages, from more sources and across more devices than ever before - both in the office and at home. As a result our attention spans are getting shorter and we have become a generation of trigger-happy clickers. It is almost an automatic reaction, you open a new message, you decide within a few seconds if it seems relevant and meaningful… if it is, you click the link, read the web page that pops up, close it and then and move on to the next message.

In psychological terms humans are conditioned to click on links. Cyber-criminals leverage this by designing email themes most likely to trigger your automatic click response. Proofpoint’s Human Factor research recently showed that the most successful themes for email lures are Social Networking (preying on the human desire for social interaction and belonging), Financial Account Warnings and Order Confirmations (preying on the desire for financial stability) and Breaking News Stories (preying on human curiosity and compassion). However fake LinkedIn Invitations are by far the most dangerous achieving a click rate 4x that of any other type of email lure.

This is big business. Longlining attacks use clever database marketing techniques to deliver targeted emails to thousands of staff across hundreds of companies within one or two hours. The emails contain a message that is personally relevant to most recipients, resulting in 1 in 10 people clicking on a link in the email that goes to a malicious website that looks harmless but can have total control over their PC in less than five seconds, without them or their company’s security software noticing anything is wrong.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th