In part one, we looked at what phishing is, and the technical ways it is done. However, the technology behind phishing is only a small part. The greatest role is played by psychology and how it is used to manipulate and fool people into performing tasks without question. While anti-malware software and vulnerability scans may protect against some forms of cyberattack, they cannot guard against that one employee who inadvertently clicks on a link or an attachment. Curiosity can get the best of us and while there’s no full proof way to eliminate this, cybercriminals regularly gain access via these low cost entry points.
The psychological methods used by phishers – and advertisers – are known collectively as social engineering. It taps into certain basic human emotional reactions such as fear, desire, greed, curiosity, and sympathy, as well as building a false sense of trust that the sender is genuine – and even sometimes someone the recipient knows. The parts of the brain that create these immediate responses, the ‘lizard brain’ (considered to be the oldest and most primitive part of the brain, concerned with self-preservation) and the limbic brain (also called the ‘mammal brain’) are acting on instincts and hardwired beliefs. The next level up is the neo-cortex, which employs reasoning and rationale. If the social engineer can interrupt the thinking process before it gets to the thinking stage, they can capitalize on the instant reaction to get the response they want.
Fear of authority
Most people are hardwired to respect authority, whether it is their boss, a tax investigator, or a bank manager. Therefore, when, for example, a target receives an email purportedly from their employer or a government officer, they tend to act on it, fearing a negative response if they don’t. Alternatively, a member of staff may think that their swift response to a request from higher up may elicit praise or recognition. Phishers use this ruse, generally adding a sense of urgency so that the target feels rushed into acting. This lessens the chances of the recipient contacting the ‘sender’ to confirm that it was from them.
Greed is Not Good
Greed is one of the most powerful of human weaknesses. Pretending to give away free music, or movies, or even gift cards is often a tactic used by phishing criminals. Sometimes these ‘gifts’ are even dressed up as prizes won in some giveaway. Nevertheless, the anticipation of a reward – and also a bit of curiosity – can tip the target into clicking on the link provided and ending up on a malicious website. In 2019, cybercriminals attempted to fool users of Steam Video – a game distribution service – free game skins if they visited the link in the email. Once they visited the fake website, they were instructed to log in, thus giving away their usernames and credentials. In another case, a treasurer of a small Michigan county fell for the most basic type of scams – the ‘Nigerian Prince.’ In this email, a ‘Nigerian Prince’ or someone similar promises to give the victim a considerable reward if they help him to get a substantial fortune out of Nigeria and to a safe bank. The Michigan treasurer, hoping for a major payday, gave the scammer $1.2 million of public funds.
Taking Advantage of Peoples’ Better Nature
Human beings are social animals and will often display a willingness to help out others in distress. Fake charity emails are one example, especially when linked to a current and distressing local or international disaster. Think Covid-19 or natural disasters like earthquakes or tragedies such as Kobe Bryant or George Floyd’s death. Crowdfunding sites such as GoFundMe or JustGiving are also fertile ground for scammers who may use a social media page to gain public sympathy about a cause (which could be fake or piggy-backing onto a real one). Another well-publicized smishing fraud is the ‘stranded friend.’ Once a hacker has a list of your contacts, the trick is to email or text each one to say that you are stranded abroad without any access to cash, or have had an accident and don’t have the money to pay for medical treatment. Then follows a plea for help in the form of money. Citizens’ Advice in the UK estimates that around £3.5 billion is stolen each year through this form of phishing.
Fear is a huge motivator that speaks directly to the part of our brain concerned with our survival. We don’t like to feel threatened, and hackers know this. Phishing emails and using this type of ploy might pretend to be from your bank, telling you that your account has fraudulent activity on it. In order for them to act, you are informed that you need to change your password. You will be told to click on a link in the email which will take you to the bank’s website. Of course, it instead takes you to a spoofed website set up to be identical to the real one. Once there, you obey instructions and log in, changing your email. Only now, the cybercriminals have your login details to your real account. In other circumstances, attackers used the tax season to intimidate US residents into paying their taxes into a fraudulent account or else be prosecuted. Fear of prosecution and obedience to authority both played a role in this vishing (phone phishing) fraud and allegedly cost 12,000 victims around $63 million in 2018.
We have to perform so many actions and make so many decisions on a day-to-day basis that some them become automatic. Because we no longer think about what we are doing before the activity is carried out, this action can become a focus for phishing campaigns. For example, when we receive a ‘Failed to Deliver Email’ message, it may be an automatic action for us to click on ‘resend.’ However, if the email is malicious, that button could trigger malware to be delivered onto the system. Complacency also plays its part in not checking URLs and email addresses for mistakes, leading again to the potential of malware in the system or financial fraud.
Having learned how cybercriminals use phishing to make money, and the psychology behind it, in part three, we will look at prevention.
 Bradley Barth, ‘Phishing Scam Uses Fake Giveaways to Lure in Steam Gaming Service Users,’ SC Magazine, 12/04/2019, accessed at https://www.scmagazine.com/home/security-news/phishing/phishing-scam-uses-fake-giveaways-to-lure-in-steam-gaming-service-users/
 Josh Fruhlinger, ‘Social Engineering Explained: How Criminals Exploit Human Behaviour,’ CSO Online, 09/25/2019, accessed at https://www.csoonline.com/article/2124681/what-is-social-engineering.html
 Liz Phillips, ‘How I got Caught up in a “Stranded Traveller Phishing Scam,” The Guardian, 11/13/2011, accessed at https://www.theguardian.com/money/2013/nov/13/stranded-traveller-phishing-scam
 ‘What You Need to Know About Tax Scams, Trend Micro, 04/08/2019, accessed at https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/what-you-need-to-know-about-tax-scams
Saya University is on a global mission to ensure every employee in the world has access to the tools that will heighten cybersecurity knowledge. When a company is serious about protecting its organization against cyber-attacks, it will invest in cybersecurity learning for all its employees. With over 7 billion people on planet earth, we have a lot of work to do. Our multi-language e-Learning platform offers the world’s most cutting edge knowledge in cybersecurity, data privacy and compliance all in one place. Curating and producing relevant content, our learning platform will begin in Los Angeles and Tokyo, expanding into Asia Pacific (APAC), Latin America (LATAM) and Africa. Join the movement. Our 3rd Cybersecurity Awareness & Diversity Summit will take place in Japan in 2020. (The Tokyo Summit)