The psychology of phishing attacks

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!


In cybersecurity, the human condition is the most frequent — and easiest — target. For threat actors, exploiting their human targets is usually the lowest hanging fruit instead of developing and deploying an exploit. As a result, adversaries often target the employees of an organization first, usually through phishing attacks.

Phishing is a social engineering attack where threat actors send fraudulent communications, usually emails, that appear to be from a trusted source and impart a sense of timeliness to the reader. The FBI’s 2021 Internet Crime Report analyzed data from 847,376 reported cybercrimes and found a sharp uptick in the number of phishing attacks, increasing from 25,344 incidents in 2017 to 323,972 in 2021. 

The growing sophistication of phishing

Early email phishing attacks usually involved some poorly worded scam message to trick users into sending money to fraudulent bank accounts; they have since evolved into sophisticated, well-crafted social engineering attacks. In today’s digital world, everyone knows that phishing is bad, but trust is still a primary vector for these attacks. Threat actors research their targets; they look into public employee profiles and postings, vendor relationships, and if an organization’s HR department uses a specific type of portal to convey information. The basis for all of these potential phishes is the implicit trust the employees have in the pre-existing relationship.

The commonality of these attacks does not reduce their danger. Verizon reported that phishing was the initial attack vector for 80% of reported security incidents in 2020 and was one of the most common vectors for ransomware, a malicious malware attack that encrypts data. Phishing was also the point of entry for 22% of data breaches in 2020.

In addition to the implicit trust of coming from a known sender, a successful phishing email preys off the reader’s emotions, creating a sense of urgency by applying just enough pressure to trick an otherwise diligent user. There are various ways to apply pressure to influence otherwise reasonable employees. Spoofed emails that appear to be from a person in a position of authority use the influence that bosses and departments such as HR have against the reader. Social situations such as reciprocity, helping a coworker perhaps, and consistency, paying your vendor or contractor on time to maintain a good relationship, may also influence the reader to click a link in a phishing email.

According to Tessian Research’s report Psychology of Human Error 2022, a follow-up to their 2020 report with Stanford University, 52% of people clicked on a phishing email because it looked as though it had come from a senior executive at the company — up from 41% in 2020. In addition, employees were more prone to error when fatigued, which threat actors regularly exploit. Tessian reported in 2021 that most phishing attacks are sent between 2 and 6 p.m., the post-lunch slump when employees are most likely to be tired or distracted.

Employees may be hesitant to report the phishing incident after realizing that they have acted out of trust and been fooled. They’re likely to feel bad and may even fear retribution from their organization. However, reporting the incident is the best-case scenario. Having employees fall victim to phishing attempts and sweeping it under the rug is how a cyber event can spiral into a large-scale cyber incident. Instead, organizations should create a culture where cybersecurity is a shared responsibility and foster open dialogue about phishing and other cyberthreats.

Cybersecurity is hard, but learning about it doesn’t have to be

Organizations that are successful in discussing cybersecurity make the topic relatable and approachable for all employees. To facilitate open dialogue, organizations should employ a defense-in-depth strategy; this is a combination of technical and non-technical controls that reduce, mitigate and respond to cybersecurity threats. Security awareness training is only one piece of the defense-in-depth puzzle. To truly build a robust security program, many different mitigating controls must be introduced to a company’s environment. 

Once-yearly security awareness training doesn’t adequately account for the human element exploited by phishing attacks. One example of an engaging training program is from the security awareness organization, Curricula, which uses behavioral science techniques like storytelling to make an impact on employee training. The goal of Curricula’s storytelling approach is to impact employees and enable (or influence, to borrow from threat actors) them to remember and recall the information to use in real-world scenarios. Their approach has merit — one Curricula customer reported that after launching a training and phishing simulation program, they saw a click-rate reduction from 32% to 3% among 600+ employees over six months.

When properly armed with tools, knowledge, and resources, the previously distracted and disengaged employees can be your greatest line of defense — a human firewall against phishing, ransomware and malware.

To succeed, management must be involved in the process — and training

Part of understanding the human condition is understanding that you will need the budget and tools to secure technical resources that prevent, mitigate and transfer digital risks to optimize your security culture. Organizations may feel a false sense of security upon passing a security audit or certification. Still, as the last few years have shown, digital risks are constantly evolving, and threat actors will not hesitate to capitalize on national or global tragedies to turn cybercrime into profit. Threat actors routinely target organizations because of their poor technology choices and disregard factors such as industry, size or the type of data they protect.

Additionally, C-level executives are not immune to successful phishing attacks. Spear phishing or whaling attacks target specific executives at an organization. In 2017 it was announced that two tech companies, widely speculated to be Google and Facebook, had fallen victim to a spear-phishing attack to the tune of $100 million. U.S. Attorney Joon Kim called the event a wake-up call that anyone could fall victim to phishing.

The digital economy continues to transform at a rapid pace. IDC has reportedthat by 2023, 75% of organizations will have comprehensive digital transformation implementation roadmaps, up from 27% today.

For organizations to truly thrive and weather the next phase of digital risks that will accompany these transformations, they should create a strong culture of security first and provide employees with the tools to recognize, react and report phishing and other attacks. Further, layering the appropriate tools such as multifactor authentication, endpoint detection and response, and even a solid cyber insurance partner can create a layered defense-in-depth strategy. This layered defense approach will help organizations prevent a cyber event like phishing from transforming into a business-interrupting cyber incident like a data breach or ransomware attack.

Tommy Johnson is a cybersecurity engineer at Coalition.

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.

If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.

You might even consider contributing an article of your own!

Read More From DataDecisionMakers

Leave a Comment