Phishing attacks are as much about manipulating human behaviour as they are about technology. This statement encapsulates why it is so difficult to prevent phishing campaigns that result in ransomware, stolen credentials, and other cyber-attacks.
Back in the 1970s, there was a drink driving campaign with the tagline “Think, before you drink, before you drive”. It was an effective campaign, helping to reduce drink-related driving accidents in the UK. Making people ‘think’ before acting is not as easy as it sounds. In fact, it is not thinking and having a knee-jerk reaction to an email that phishing campaigns rely on. Phishing is a serious business with a recent report finding that 95% of IT leaders believe that data is at risk from the email channel.
So, how can the average business hope to be as successful as the 70s drink driving campaign when it comes to countering the tricks up a cybercriminal’s sleeve?
Phishing Attacks and Human Behaviour
This difficulty in prevention is reflected in the successful nature of phishing attacks: In pre-pandemic 2019, the phishing stats were appalling, with insurance company Beazley finding a 105% increase in ransomware attacks in Q1 2019. But 2020 saw phishing attacks go off the scale. The FBI published a report showing that Phishing was by far the most prevalent of crimes reported to its complaints section, IC3. One of the driving forces behind phishing success during the last 12 months has been the Covid-19 pandemic, which provided opportunities galore for phishers to exploit human behaviour: this is evidenced in a staggering 30,000 % increase in Covid-19-based threats during 2020; most of these attacks used malicious websites and phishing emails.
Phishing (and its variants, Vishing/Smishing/Pharming) is a prevalent attack vector because the technique works. It works because it uses natural human behaviour to carry out an action that benefits the cybercriminal behind an attack. Being able to manipulate a legitimate person to do an illegitimate action is the hallmark of the scam, even before the advent of modern technologies. But technology can groom even savvy users, as technology usage patterns become “hard-coded” as we become familiar with a system.
Email, for example, is an everyday technology that we use continuously. In 2020, 306.4 million emails were sent and received daily. Opening an email and clicking a link is almost second nature, a knee-jerk behaviour to a regular task. It is this repetitiveness, and a lack of thought needed to action, that the phisher focuses in on.
5 Typical Phishing Characteristics
Phishing attacks want to catch out people before they think too much. To do this, the campaigns need to ensure that certain criteria are met and that circumstances are optimised:
- Trusted source: One way to remove the thought process is to make the email recipient feel safe. Phishing campaigns will typically masquerade as well-known brands. In a review of which brands are used by phishers, Microsoft repeatedly comes out on top as one of the phishers’ favourite brands to spoof. Other spoofed brands include Netflix and PayPal.
- The lure of the click: Whilst 79% of people say they can recognise a phishing email, almost half will still click on a link in a suspicious email. Reasons for this behaviour are likely to be because of the implicit training we have all been through to use internet-ready content. To click is almost a Pavlovian response when an email contains a link. User experience (UX) designers have used this type of conditioning to help people use technology more easily; cybercriminals use the same psychological manipulation to get us to click on a phishing link to start the next stage of the phish.
- Leading by task: Keeping the email focused on a simple task helps in the removal of the thought process. Repetitive and recognised tasks such as password resets are a phisher favourite. This allows that all important ‘click’ to be made without thinking too deeply about the possible consequences. If the task is work-related, then it’s more likely the click will be made, and the phishing event initiated.
- The urgency: Often, phishing emails will contain some sort of driver to push the auto-click behaviour. These drivers are often the threat of a discipline or a raised concern over an action, such as paying a bill. Some phishing campaigns are highly targeted (Spear phishing). These campaigns often impersonate a CEO; the fake CEO then sends an email to the accounts department placing an urgent request to wire money to a bank account. The account is, of course, owned by a scammer.
- Overworked: A study into hospitals targeted by phishing campaigns concluded that overworked staff were more likely to click on a phishing link. If you don’t have time to think, you will default to auto-response.
A note on spear phishing attacks. This type of phishing requires a deeper level of reconnaissance to deliver more convincing phishing emails to the target. This level of detail makes spear phishing emails even more difficult for employees to spot. Consequently, spear-phishing email attacks increased by 667% during the Covid-19 pandemic.
How to Make an Employee Click a Phishing Link
Cybercriminals are masterful at creating the conditions for a successful phishing campaign. Using all the tricks to make a user click, such as spoofed trusted brands, to make the user easy bait. An example of this was an Office 365 phishing ruse in 2020. It had all the elements that manipulate users into clicking before thinking:
- Spoof emails were made to look like Microsoft Office 365 were sent out to employees.
- The email had the title “COVID-19 Training for Employees: A Certificate for Health Workplaces.” employees were encouraged to action the email for work reasons.
- Email recipients were asked to click on a link in the email that took them to a spoof Office 365 login page: the page looked identical to a real Office 365 page.
- A user was prompted to enter their Office 365 credentials to log in and receive the certificate. If they did so, those credentials were stolen, then used to log in to the real Office 365 portal.
How to Stop an Employee Clicking a Phishing Link
Preventing hard-coded behaviour requires specialist awareness training. Technologists have designed systems to be easy to use and to make clicking an easy action, this auto-click response must be broken to prevent phishing success. By providing a well-thought-out, controlled, phishing test, an organization can help change the behaviour that cybercriminals are dependent on. Simulated phishing tests create a safe environment to train users on the subtle ways that phishers manipulate their behaviour so that they can watch out for those tricks. As part of a wider security awareness program, phishing simulation is effective in preventing phishing success that results in stolen credentials, data exposure, and ransomware infection.