Have you watched “The Great Hack” movie? A must-watch for insights into the psychology behind phishing attacks!
Psychology and Phishing Attacks
Phishing attacks rely heavily on psychological tricks, which is why understanding these tactics is so important for cybersecurity awareness. Surprisingly, nearly half (47%) of successful attacks still happen because of careless employees [1].
The Main Psychological Tactics in Phishing:
1. Emotional Manipulation
Phishers tap into emotions like fear, curiosity, and trust to prompt hasty actions. For example, an urgent message from a “bank” might trigger panic, while a promise of rewards can pique curiosity.
2. Cognitive Biases
We’re all prone to biases, and phishers know it. From overconfidence (“I’d never fall for a scam”) to authority bias (trusting messages from “important” figures), these biases make us more vulnerable. Scroll down to read more about cognitive biases.
3. Social Engineering
Phishers leverage techniques like reciprocation (creating a sense of obligation) and social proof (implying that “everyone else is doing it”) to persuade victims to comply
What We Recommend:
1. Recognize Vulnerabilities
Understanding our psychological vulnerabilities helps us stay alert. It’s often our emotions, not our tech knowledge, that phishers exploit.
2. Master the Basics to Identify Legitimate Messages
You need to know the basics that allow you to identify legitimate messages. Does the message come from someone you know? Does the message come from a domain you know and trust? As a minimum, you need to know how email addresses are structured and what your trusted sender domains are.
3. Effective Training
Training programs should go beyond tech skills. We recommend running phishing simulations.
4. Cognitive Approach
Encourage System 2 thinking (Slow, deliberate, and logical thinking, which requires more cognitive effort, [2]) – taking a moment to pause and evaluate
messages before acting. This simple step can prevent impulsive, risky actions.
5. Cultivate a Secure Culture
Building a culture that values security encourages vigilance. When employees feel safe reporting suspicious emails, organizations become more resilient.
The psychology behind phishing attacks is a global issue, affecting individuals and organizations across borders. To deepen our understanding of these tactics, our team is participating in Black Hat Saudi Arabia this year. This event offers a unique perspective on the latest global cybersecurity threats and insights that we believe will be valuable for our European readers. Stay tuned for key takeaways by following Cyberdise on LinkedIn!
What are the most common cognitive biases exploited in phishing scams?
Here’s a look at the top biases used in phishing attacks, so you can recognize and resist them:
1. The Halo Effect
When we trust a person, brand, or organization, we’re more likely to trust messages associated with them. Phishers exploit this by posing as well known companies or trusted entities. In fact, the Halo Effect appears in 29% of phishing attacks, making it one of the most commonly used biases in social engineering [3]. Be cautious of unexpected messages from “trusted” sources, even if they seem familiar.
2. Hyperbolic Discounting
Humans naturally prefer immediate rewards over future benefits, making us easy targets for “limited-time offers” or free coupons. Scammers use this bias to entice quick clicks, knowing that the promise of instant rewards often clouds better judgment. This technique appears in 28% of phishing attacks [4], so remember to take a moment before acting on tempting deals.
3. Curiosity Effect
Curiosity can be a double-edged sword. Phishers know this and often lure victims with intriguing subject lines or “secret” information. Limited-time deals or exclusive offers exploit this bias, which drives 17% of phishing attacks [5]. Always approach curiosity-inducing emails with caution!
4. Authority Bias
We tend to trust messages from authority figures or high-ranking officials without question. Scammers impersonate figures like CEOs or government officials, leveraging this trust to push victims into action. Always verify the authenticity of urgent messages from authority figures.
5. Recency Effect
This bias causes us to give extra weight to the latest information we’ve encountered. Phishers take advantage of this by referencing current events or recent company news, making their messages feel timely and relevant. Stay vigilant by cross-checking unexpected messages against verified sources.
Other Cognitive Biases in Phishing [6]:
- Loss Aversion: Threats of “account suspension” prey on our fear of loss, nudging us to act impulsively.
- Optimism Bias: Scammers offer fake “great opportunities,” knowing we often underestimate risks.
- Scarcity Bias: Phishers create urgency by claiming limited availability to make offers feel more valuable.
Educating yourself and your team on these psychological tricks can significantly reduce vulnerability to phishing attacks [7]. Recognizing these biases helps us slow down, think critically, and act with security in mind.
Want to try use psychology to phish someone?
We’re excited to share more cybersecurity insights, news, and updates with you in the upcoming editions of this newsletter. However, if you don’t find this helpful, we’re sorry to see you go. Please click the unsubscribe button below.
[1] Analysis of the IBM Cost of Data Breach Report 2024, Figure 7: Cases that can be attributed to a lack of employee awareness amount to 16% compromised/stolen credentials, 15% phishing, 10% Business Email Compromise and 06% social engineering. Means that 47% of all attacks target unexperienced, gullible or careless employees.
[2] Kahneman, D. (2011). Thinking, Fast and Slow. New York: Farrar, Straus and Giroux.
[3] LinkedIn: “Mind Games: How Hackers Exploit Your Brain with Cognitive Biases”
[4] Blog: “[INFOGRAPHIC] 9 Cognitive Biases Hackers Exploit the Most”
[5] Security Magazine: “Cybercriminals Exploit These Cognitive Biases the Most”
[6] VentureBeat: “Phishing Attacks Exploit Cognitive Biases, Research Finds”
[7] SC World: “The Five Most Popular Cognitive Biases That Result in Phishing Attacks”
