The Psychology of phishing

The psychology of phishing is research revealing the underlying biases and vulnerabilities in human cognition. Recognizing these mental tendencies and susceptibilities can aid in protecting ourselves from falling prey to phishing attacks.

What is Phishing?

The term “phishing,” coined in 1996, refers to the fraudulent practice of tricking internet users. They disclose personal or confidential information, which scammers can misuse. Phishing has since become pervasive. Over 3.4 billion phishing emails are sent worldwide daily, constituting half of all fraud attacks and cyber crimes.

Why is it serious?

Phishing poses a significant risk since a single click can lead to substantial losses. People you know might have inadvertently given away critical personal or financial information. They might have downloaded malicious software or compromised their computer files due to phishing attempts. There is a famous case of John Podesta, who fell victim to a phishing email during Hillary Clinton’s 2016 campaign. John’s sensitive political emails were stolen, illustrating the potency of phishing.

How Phishing is done?

Cybersecurity experts assert that phishing emails are skillfully designed to exploit our emotions and unconscious biases. Deception is an age-old human trait, and phishing is a form of cyber deception. While technology-based solutions are commonly employed to combat phishing. Let us delve upon here to using psychology to understand why people fall for them and how to safeguard them from falling prey.

Phishing emails leverage emotional tactics to bypass rational thinking and elicit clicks. There are two thinking systems to explain why phishing is effective:

System 1 operates swiftly, intuitively, and emotionally and System 2 is deliberate and slower.

System 1 relies on mental shortcuts to handle numerous daily decisions, such as the truth bias, which assumes that others are more likely to be truthful than deceitful. However, these biases can lead to unwise decisions, such as trusting an email claiming to be from one’s bank for a password update.

Phishing aims to keep individuals in automatic, System 1 mode, where decisions are made quickly and thoughtlessly. Phishers exploit mental shortcuts, also known as heuristics, There are seven psychological principles of influence, which include authority, commitment, liking, perceptual contrast, reciprocation, scarcity, and social proof (will discuss this some other time).

Let us see how individuals of varying ages respond to different tactics.  A 21-day study in which participants, ranging from 18 to 89 years old, received tailored emails designed to employ the given 7 principles if influence.

Why senior citizens are easy prey?

The results showed that 43% of participants fell for phishing emails, with older women (62 and older) being the most susceptible group. The success of phishing tactics varied with age, with younger adults more vulnerable to scarcity appeals and older adults falling for reciprocity. Authority and legal issues were consistently effective for all age groups. This is interesting.

If you have to sell a mobile phone to a youngster, tell them that only 2 pieces are left.  For an older demography, what will work is reciprocity as they feel that it is their responsibility to give back something. Hence, the NGO factor works here. For example, more donors of Wikipedia are of older age because they feel, that they have consumed the content, so it is their responsibility to give back something. However, if you go to the contact page of Wiki, you will find that there is a sister concern, which is for pure profit and it was never free of cost.

One concerning finding was that participants’ self-assessment of vulnerability did not align with their actual susceptibility to phishing. Participants underestimated their susceptibility, with older adults being less aware of their vulnerability, which is problematic. It is really important to save our senior citizens.

There was a notable difference in behavior between age groups. Younger adults became less susceptible to fraudulent emails as the study progressed, while older adults remained consistently vulnerable. This is concerning, especially for older adults who hold positions of power and have accumulated online assets and offline wealth.

OK! Then what to do?

On a positive note, higher cognitive function and positive affect appeared to protect older adults from falling for attempts. For instance, older adults with better verbal fluency and positive affect were more aware of their vulnerability. The research suggests that tailored training, focused on demographic-specific vulnerabilities, could be more effective. The younger generation can give time and training to the elders. They might not like to sit for a workshop of two hours, but sitting with them and chatting around and telling them the possibilities is how to do it.

Phishing susceptibility studies are still evolving, offering the potential to reveal variations based on occupation types, education levels, or responses to attacks spreading misinformation. The research underscores the importance of integrating psychology into internet security strategies, as traditional technology-based solutions alone may not suffice. Oliveira believes that understanding human psychology is essential to combat phishing effectively, considering that human behavior changes slowly in contrast to rapidly evolving technology.

This is a cat-and-mouse game. Both can win and lose and awareness is the key.

Loading