Full disclosure, we are a technology service company, not licensed pyschologists. But because the intersection of technology and psychology is actually one of the bigger threats to your business network, we decided to tackle the question of WHY people fall for phishing scams.
You can preach “Think before you click” all day long, but unfortunately the human element tends to be one of the hardest things to secure.
The logical - albeit challenging - question then is…why?
Why are smart and generally savvy computer users still falling for age-old social engineering tricks and clicking on bad links or attachments in these emails? Why do people fall for phishing scams?
Our research shows that it comes down to 4 primary reasons.
1. They don’t know any better.
While it’s hard for US to believe this since we live and breathe this stuff, we can admit that the average computer user – who is already really busy doing his or her job -- doesn’t necessarily feel compelled to understand or learn more about scams, viruses and security alerts. (In fact, they are so often in the news these days that it’s possible people are experiencing a bit of fatigue around the whole topic and paying even less attention to it.)
So that leaves you with a business full of busy end-users who either put their faith entirely in your network and assume that nothing bad will be able to get through the anti-virus or anti-spam filters, or wholly unaware end-users who just have no idea what phishing is or what the risks are.
Neither of these is ideal. Both are threats to your information security.
Assuming that you have absolute guaranteed protection from threats is a dangerous mindset, because it leaves you blind to even the obvious or well-known phishing scams. No network is immune, even with the best network security tools in place.
All end-users need to understand that they have an important role in protecting the network, and that it begins with awareness and requires ongoing vigilance. Cybersecurity has become everybody’s responsibility, which makes it every email user’s responsibility to know the red flags of a phishing attack, and to approach every email with caution.
The good news here is that there is something you can do about it.
You can educate and train your end-users about the threats (and the consequences of them) on an ongoing basis. You can share security alerts, best practices and other resources that let them know what to look for and what to avoid.
You can adopt standards around internal emails and let your users know that if an email comes out from anyone internally that differs from those standards, that it should be treated with extreme caution. Or that any requests to transfer funds need to be confirmed directly with the supposed sender by phone or in person before they can be processed.
The most important thing you can do is to consistently reinforce the importance of being cautious and alert and why it matters so much. Teach your team to think before they click. After all, it’s better to spend a few extra minutes to confirm that an email is legit than to be down for days (or longer) because of a malware attack.
2. They know better, but can’t resist the impulse to click.
When you really think about it, success in phishing comes down one moment – that moment when the recipient makes the decision to click (or not).
But behind that split second decision, hackers might spend weeks (or longer) researching victims, and crafting the message that they believe will find their trigger. Because experience has taught them that everybody has a trigger.
Core to this success is the fact that people want to believe that their communication is safe and that nothing bad will ever happen to them. Admitting otherwise is to admit a vulnerability that most people aren’t comfortable with.
Essentially, our foray into basic psychology revealed that it's more comfortable to pretend this isn’t a real threat than it is to learn more about the risks and how to avoid them.
At least, that's one part of the psychology.
There’s also that very real Fear of Missing Out (FOMO).
We’ve all been there.
You get an email that appears to be from an old friend, and they’re sharing something with you. It MUST be something really good or important. It would be so rude not to open it, right? So you click.
Or you hear from Netflix that your account needs to be validated. It’s Friday afternoon. You had a whole evening of binge-watching planned and having your account suspended is going to ruin your evening. And so – just in case – you click.
You get what looks like an internal email with a spreadsheet titled “Staff Salaries”. I mean, who doesn’t want to take a peek at that? You are so intrigued you don’t really notice that the name of the sender is an account that you never knew existed in your office. You really want to see this file, so you click.
RESULT: OOPS. (Talk about curiosity getting the better of you!)
There are just so many ways to fool us human beings. Other common types of phishing scams include:
- A court notice to appear
- An IRS refund
- Account notices from your bank or credit card
- Celebrity death news
- Delivery confirmations emails
- Service cancellation notifications
- Notice of payment or blocked payment
- Notices meant to intimidate because they appear to come from someone with authority (IRS, FBI, bank)
As long as there is email, there are going to be phishing scams because there is that part of our brain that wants to be rewarded with whatever is being dangled on the other side of that one little click.
Whether it’s due to curiosity, fear, FOMO, or excitement, these emails just work.
But they don’t have to.
Because there is an important distinction between “knowing better” and really understanding the machinations of a phishing attack.
These attacks are all about manipulation using social engineering tactics. The intent is to create a sense of urgency around the need to take action (click), such that the user can’t resist.
As we’ve stated, it works.
But there is a case to be made that if people understand the logic behind these tactics, that they are less likely to fall for them.
In short, when you understand that you are being manipulated, it’s easier to see through it, and talk yourself down from making an emotional decision that has huge - though unitended - consequences.
It takes a consistent effort, but when armed with the right information end-users CAN be conditioned not to give in to that impulse and click. It may be a struggle, and you may still have those employees who know better but continue to wrestle with that “I really need to know what’s in that message” voice in their head. (That’s just because they’re human....they can get past it!)
The goal is to get to the point where they recognize the tactic being used on them and see the message for what it is.
But in order to get there, end-user training has to be treated as a priority and it has to be done on a regular basis. It’s not a one-time proposition…at least not if you want it to stick.
3. The emails are so targeted and realistic that they are undetectable as fakes
The hackers have figured out that it’s easier to go after end-users than it is to exploit technical vulnerabilities in an operating system or software application.
And they’ve graduated beyond the Nigerian Price scam emails.
One estimate we read suggested that over 95% of these hacking attempts are targeting humans instead of trying to exploit code vulnerabilities.
Which means they’ve gotten pretty good at crafting them.
While there are still good ones and bad ones (the bad ones being the ones that are immediately recognizable as phishing or that get caught up in spam filters), the good ones can be pretty darn good. Some are even impossible to spot as phishing right away.
They look professional, they’re creative in the subject line and the message, they follow current events or trending news topics and they include those triggers that they know are irresistible to us humans.
So in those instances where there are no obvious red flags or visual give-aways that an email is a fake, staying protected against it becomes a matter of training and instinct.
And yes, there’s that word again.
While not every phishing email is going to have a misspelling or obvious marker to call it out as such, the action that you’re being directed to take – if you approach it with suspicion – should be enough to give you pause.
Or maybe it’s just a subtle difference in the communication style being used by the supposed sender that makes you think. For example, maybe this co-worker always addresses you in a friendly manner before proceeding with the message, but in this message, there is no greeting at all.
That is a red flag, even if it’s small, and not an obvious mistake like a typo.
Again, the difference here is whether the recipient is aware of phishing and the common tactics used. And if they have been trained to approach links and attachments with caution, even if they appear to be from a known contact.
If they are, then standard procedure upon receipt of any email requesting that he/she validate an account will be to navigate directly to the known URL for this account or contact them by phone. But never to follow the link in an email that you weren’t expecting, particularly if it’s asking you to enter sensitive personal data.
4. They think nothing will ever happen to them.
This mindset is similar to #1, but in this case, it’s a conscious decision to ignore the risks.
Because people who fall into this category just don’t think they are a big enough or interesting or a valuable enough target. Or they feel invincible. Or they have gone their whole professional lives without getting hacked, so these warnings are clearly nonsense, thank you very much.
It won’t surprise you to hear that education and training are also the solution here. By sharing details of real-world phishing examples, and confirming that these things are a real threat, it should help everyone to face facts that everyone with an email address is a target.
Combating the impulse to click isn’t easy, particularly when we know that sometimes even the most educated users will suspend all reason and fall for it.
As a business leader, you can make an effort to flip the “what if” script running in your employee’s heads from “what if I really did win a prize?” to “what if I click and we get locked out of our network and can’t work? What if I cause tens of thousands in lost revenue?”
Because no one thinks that a breach is going to happen to them. Until, of course, it does.
In closing, we want to note that software and hardware solutions for network security are still a critical part of the data protection puzzle for your business.
Firewalls, patch management, anti-virus and anti-spam, and data backups management are equally necessary. But don’t exclude end-user training when considering your layered network security strategy, because humans are in fact your weakest link.
Corsica's managed IT service customers all benefit from our industry-leading network security tools and practices, including bare metal backups for all servers and desktops on the network, managed firewall security solutions, anti-spam and anti-virus that integrates with our monitoring software, and more. To learn more about Corsica's Network Security solutions, click here.
Want more great technology updates, news and other industry information delivered directly to your inbox? Subscribe to the blog and each week you'll get new useful tech news you can use.