We’ve all been there. It’s your busiest time of day, and you’re multi-tasking like a champ. You glance at a new email that just hit your inbox—something about a password reset from the company administrator—CLICK and….oops.
Welcome to email phishing schemes 2020.
Cyber criminals are devising increasingly underhanded and clever methods to fool employees and individuals into opening, clicking on, and downloading files from emails. These phishing schemes are executed in order to access valuable company data or to cause damage to an organization. Enterprises are well aware of the danger and many try to stay on top of the latest schemes by educating their employees about new phishing scams and the possibility of phishing.
So how can these phishing schemes be so successful?
Simple. Hackers have figured out the easiest way to uncover sensitive company information using a method that does not involve exploiting technical flaws, or resorting to violence, threats or even personal contact. They simply utilize the basic tenets of social engineering that prey on human emotion.
Emails that make a targeted victim feel a sense of urgency, fear, or other strong emotion have been proven to cause them to unthinkingly carry out the desired action, which is often to click a malicious link or open an infected file. As hard as enterprises try to prevent these phishing social engineering attacks, the human element will trump them every time: 90% of data breaches are caused by human error, according to TechRadar. Humans have proven themselves—again and again—to be the weakest link in the cyber chain.
Let’s explore the Top 5 psychological tricks that hackers use in phishing attacks to get their victims to click.
Nothing to fear but fear itself
The human sense of fear is activated when a victim believes something terrible will happen if they don’t act. The impending danger often seems so real that it entices the victim to respond. Cyber criminals have learned that phishing emails that cause panic or dread will result in the victim clicking to find out more. For example, an email claiming to come from a law firm about a court appearance with the “court notice” attached. Or an email claiming to be from the IRS explaining that the victim owes back taxes or is being audited, with the document “details” attached. Victims who fall prey to the psychology behind the phishing attack and click on these malicious links or download these files often also end up downloading and installing malware on their systems.
Hurry up, it’s urgent!
Email marketers have long known that creating a sense of urgency is one of the best ways to propel users into action. Words like “Act Now” or “Offer Ends Tonight” create a psychological reaction called FOMO: fear of missing out. Hackers have jumped on the urgency bandwagon as well, understanding that urgent messages will have victims act first and think later. For example, hackers use a business email compromise attack (BEC) where an attacker spoofs or hacks into a company email account and impersonates a “perceived authority” such as a supervisor in order to dupe victims into acting quickly. The “boss” may send short, curt messages asking for a form to be filled out or a payment made right away. And who wants to make the boss mad by delaying?
Show me the money
Money-related schemes are favorites of hackers because they know that most people are “greedy” by nature. Appealing to the victim’s desire for wealth or power is a proven hook of psychological manipulation.
Additionally, during times like now, where COVID-related layoffs are common, victims may be more likely to click on something that seems “too good to be true” due to desperation or anxiety. An example is an email from the IRS telling victims that their long-awaited refund checks are ready and directing them to open the attachment for instructions to receive their money. Another example is sending a phony email from a bank alerting the company about a problem or letting them know that an interest payment has come in, with the goal of tricking them into entering in their bank ID and password.
Pay attention, you’re missing the details
Hackers lure victims with social engineering attack emails that include similar-looking logos or other elements designed to closely resemble a legitimate business. These emails are meant to focus victims’ attention elsewhere so they don’t pick up on small details that would give away the ruse. For example, phony FedEX or UPS shipping confirmation emails that are difficult to tell apart from the real thing. Or a fake Dropbox password reset phishing email that drives unsuspecting users to “update their password” by clicking on a link. According to Wombat’s State of the Phish Report, the most effective password reset phishing email is the one that looks like it comes from your own IT department.
Forge a Personal Connection
The best way to convince a victim to drop their guard is by developing a sense of trust. Hackers may try to cultivate their own relationships with a target by creating fake social media profiles and connecting over time. They may ensnare a victim by sending phony job posts over LinkedIn or by sending bad links via Facebook Messaging. Or they may take a shortcut by hijacking a legitimate conversation between two trusted parties. According to ZDNet, conversation hijacking occurs when hackers infiltrate email threads between two people, sending malicious content while making it seem like the person the victim was just talking to is the one sending messages back and forth.
Can complete protection from weaponized files sent via phishing attacks be achieved?
Imagine a world where employees could click and download any email attachment they come across without thinking twice.
Well, with Votiro’s Secure File Gateway, complete protection from malicious files—regardless of file source—is achievable. Unlike detection-based security solutions that scan for suspicious elements and block some malicious files, Votiro’s revolutionary Positive Selection technology singles out only the safe elements of each file, ensuring every file that enters the organization is 100% safe—include email attachments and the email files themselves.