Insight

Why phishing works

Published

Read time

Where criminals impersonate a trustworthy third party as a first step to breaking into confidential systems, the odds are stacked against the defending team.According to statistics published by Singapore police, cyber crime incidents have increased over 250% between 2015-2017.


Defensive frailties

“We like to think we’re in control 100% of the time,” says Marwa Azab Ph.D “and that decisions we make are of the result of logical and rational computations.”

The reality is very different.

In his book Thinking Fast and Slow, Daniel Kahneman describes how the brain has two ‘systems’. System 1 is the “fast, automatic, intuitive approach.”

In other words, acting on instinct.

Instinct hasn’t yet caught up with the digital age; as we’ll see, sometimes the most tech-literate are the easiest to defraud.

The problem isn’t ineptitude, it’s autopilot.

80% of people using System 1 to do System 2 tasks*

Kahneman’s System 1 is instinctive; “System 2” is a slower, analytical mode, where reason dominates.”

Take the classic problem: A bat and ball together cost $1.10. The bat costs $1 more than the ball. How much does the ball cost?

Most people answer 10 cents – but that’s the System 1 speaking.

Anyone engaging System 2, will reason the correct answer is 5 cents. 

System Two is very much second choice, most of the time.
 

*In recent French study published in Psychonomic Bulletin & Review, only 1 in 5 people got the answer right.

Four ancient thought processes cyber criminals love

While these examples might sound a little silly in the cold light of day, they’ve got a solid track record – they’re proven to work.

 1. Fear

Conditioned fears - such as getting in trouble with the boss or the authorities - make an interesting muse for cyber criminals. Ironically, the fear of being insecure online is an excellent weapon.

For example, via a convincingly design fake email explaining that an account has been compromised, people will gratefully give hackers their password.  

2. Obedience

Obedience is to do with the avoidance of conflict, and of course, responding to direct requests from an authority figure.

This is a common tactic for cyber criminals. We’re conditioned from a very young age not to question authority and most people are inclined to comply. Spoofing senior managers’ email addresses, even mimicking the tone of their writing… all in a day’s work for hackers.

3. Greed

Letting an intense, selfish desire outweigh your better reason is as old as civilisation.

Scams that promise a reward happen every day. For example the often-mocked “419 scam” aka the “Advanced Fee” or “Nigerian Prince scam.”

It’s become a cliché, but people do fall for it every day, raking in millions each year for criminals all over the world.  

It’s all in the way they are worded, spelling mistakes, bad grammar and all.

As Cormac Herley of Microsoft says, “Since gullibility is unobservable, the best strategy is to get those who possess this quality to self-identify.”

4. Helpfulness

Working together has an evolutionary benefit and is hardwired into (most!) peoples’ nature. Cyber criminals exploit this in all sort of ways.

For example, a smooth-talking criminal was able to ascertain his target’s current address by talking to Amazon customer services. Posing as his victim, he claimed to not remember his listed address. By using a clever line of questioning, he got the customer advisor to reveal, bit by bit, the correct address (which was then used to perpetrate other frauds).

Not a high-tech hack, simply the criminal knowing how to use people’s urge to be helpful to his advantage.

Friend, Facebook friend or foe? What’s the difference nowadays?

One of the most consistently successful email subject lines is, “Invitation to Connect on LinkedIn.”

It’s because the line between friend, acquaintance and stranger has become completely blurred.

Telling the difference used to be easy, a new face in the village would arouse suspicion; people would be guarded around this mysterious stranger.

For people accustomed to social networking sites like Facebook and LinkedIN, it’s a different cognitive process entirely.

A study entitled, Habitual Facebook Use and its Impact on Getting Deceived on Social Media saw a team of US scientists studied the online behaviour of 150 students. Weeks later, long after they thought the trial was over, the scientists launched a simulated phishing attack involving a stranger requesting to be Facebook friends.

What the researchers described as “complacency” and “a desire to please”, resulted in a simple yet effective phishing scam, where many of the students submitted personal and financial information.

Possibly because of the reasons outlined in the study, the age range 18-25 is believed to be the most susceptible to phishing attacks.

18-25-year-olds are most susceptible to phishing attacks. Technical ability does not make detection easier

The study also found that “Users׳ general technical proficiency does not correlate with improved detection scores.”

So it doesn’t matter how tech savvy you are, you can still get your buttons pushed…

Stress makes people more cavalier, not more cautious

When trying to concentrate on a task, an unread email in your inbox can reduce your effective IQ by 10 points,’ says author Daniel J Levitin PhD in The Organized Mind: Thinking Straight in the Age of Information Overload.

Stress has an effect on decision making, but not in the way you might expect, according to the Association for Psychological Science.   

“Stress seems to help people learn from positive feedback and impairs their learning from negative feedback,” said Mara Mather of the University of Southern California, co-author of the study.

This means people under acute short stress pay more attention to upsides than downsides.

Cyber criminals know this. It’s how a lot of social engineering attacks work.

Stress tactics: 4 ways cyber criminals manipulate stress levels
  1. Attack late in the afternoon, on Fridays or at the end of the month

  2. Spoof top brass managers’ email addresses

  3. Real-life events, like tax return deadlines, etc.

  4. They use fear tactics urging rapid action

 

Scroll on to see phishing from the attackers' perspective...

Stopwatch

How would you react to a cyber attack?

How Cyber incident response insurance works

Attacker perspective

A big factor in cyber crime’s prevalence is the hunger and zeal of the criminals. This is down to classic adversarial behaviour.

From the attackers’ perspective, cyber-crime is a game.

Tracking performance analytics makes it an exciting, dopamine-rich game, with the thrills and freedom of Grand Theft Auto and the potential pay offs of sports betting.  

Sound pretty addictive, doesn’t it? There are certainly parallels between alcohol and drug addiction.

Rivers of dopamine

According to this report by Europol, it is: “dopamine can be released quickly as vulnerable youth achieve frequent and rapid successes online, and if these successes are linked to anti-social acts, such as hacking, they will be reinforced to pursue further ends to obtain their gains.”

But it’s not just about success.

A near-miss will still do the trick, because that’s a quirk of dopamine. It’ll give you a top up, because it wants you to keep going and it’s backing you to win next time. This Guardian article, Dopamine, the Unsexy Truth, which refers to a study on roulette junkies.

Spear phishers have the most fun?

Spear phishing is a targeted approach singling out individuals and designing bespoke attackers.

This approach requires victims to assess the plausibility of the message.

That’s a skill in itself.

Social engineering takes skill, but not especially technology skills-  you can buy that in cheaply and reliably – it is the skill of human manipulation that comes to the fore, pushing the buttons of impatience, curiosity, arrogance, greed and trust.

Which is not dissimilar to the of a Madison Avenue ad man, a la Don Draper from Mad Men. 

Self-actualisation and community

For many young cyber criminals, cyber crime is a chance to “be somebody”.

Personal motives for cybercrime include “self-actualization, intellectual challenge, need to prove one's self, need to prove technical proficiency.”  According to Nick N et al Kykodym, published in the Journal of Leadership, Accountability and Ethics, at the same time ”it can be their vehicle to fuel fantasies”, and “bolster their self-esteem.”

So it’s about more than money, for many, hiding behind a secret identity and being part of the collaborative community, which a Flashpoint survey found goes beyond Darkweb chat rooms into more personal interaction via Skype.

The survey concluded, “cyber-criminals tend to share a strong desire to reap the benefits of cross-community collaboration, information sharing and even mentorship.”

Role models

The same Flashpoint survey highlighted that Russian-speaking cyber-criminals “considered the most innovative and sophisticated actors” Thus actors “from other language communities often imitate Russian cyber-criminals to attempt raising their own levels of competency”

An air of collaborative competition and coaching, perhaps akin to being part of a sports team.

Conclusion: why phishing works

Cyber criminals know which buttons to push to bypass logical thinking and appeal to our impulsive, instinctive side. And our instincts for the digital world are not yet up to speed with the more logical rational approach criminals take.

While morally dubious, cyber criminals are talented – not necessarily technically. For the most part, cyber criminals are more "criminal" than "cyber".  

The cyber aspect is played out in where they procure the tools of crime, learn the strategies and find technical, and also, emotional support. 

The main problems within target organisations are a natural, unavoidable complacency. People's focus is on other areas, they're just doing their jobs.

Most thinking is done on instinct - but in the digital world, we haven’t got a whole lot of instinct to go on: Instinct is thought to be something that develops over generations of ancestral learning.*

It could be a few generations before people are prenaturally equipped to defend themselves against cyber-crime.

Singapore programmer at computer

Cyber insurance from genuine cyber experts

We wrote our first policy in 1997 and we've been cutting edge ever since