Phishing Emails Play on Our Fear of Failure

^{Image has been altered. Courtesy of Christiaan Colen, Flickr.}

By now, most people know that an email from a foreign prince who just needs a small loan to claim his massive inheritance is probably a scam. Phishing, the tactic of sending fraudulent emails to try to trick users into giving up personal information, isn’t new. But according to a new study in Frontiers in Psychology, as consumers have wised up to common scams, sophisticated criminals have begun using social psychology and specific communication tactics to push past their skeptical targets.

The study’s authors—Prashanth Rajivan, PhD, a post-doctoral fellow at Carnegie Mellon’s Dietrich College of Humanities and Social Sciences and Coty Gonzalez, PhD, a professor in the same department—designed their experiments as a window into the psychology of cybercriminals and their victims, attempting to identify why some phishing tactics are more effective than others.

Rajivan and Gonzalez found that victims are the most vulnerable when they’re on the defensive. Instead of an offer for a free cruise or a slice of some sweet royal inheritance, the most successful phishing attempts often challenge their recipient with a negative message, like a failed password attempt or a late bill, in an attempt to solicit a response.

“I think there are several factors at play here, including past experience and individual familiarity with scam like emails that often deceive people by offering deals or rewards,” Rajivan told Healthcare Analytics News™ in an email interview. “However, at a more primitive level, I think we are more sensitive to loss, authority and trust, compared to gains.”

The main phase of the study divided the participants into 2 groups, hackers and victims. To disguise their intentions, the victims were told they were participating in a study about understanding how people manage their inbox. The hackers, meanwhile, were assigned instructions on basic phishing techniques and formats and given a detailed scoring system that judged both the creativity and success rate of their attempts to con their peers out of personal information.

The exercise found that the most successful hackers creatively used an authoritative tone in their phishing emails and “communicated failure” to their victims. For example, someone receives an email from an account purporting to be the billing department for a major hospital or bank network, asking them to create an online account or re-enter payment details to settle a bill, or else face a late fee or penalty. The CMU study found that this strategy, which immediately puts the victim on the back foot, would be more likely to succeed than a cheerful email offering a gift or deal.

And healthcare data are among the most valuable prizes for hackers, as hospital and insurance records often contain financial details, social security numbers, and more. Rajivan noted several instances in which phishing attacks caused “system-level failures” in hospitals, including the Morehead Memorial Hospital attack in 2017, which exposed the health information of more than 66,000 patients.

The end goal of Rajivan and Gonzalez’s study is to better understand the psychology behind phishing attempts so everyday people fall for them less often.

“I think this work is a first step towards our overall goal of developing a comprehensive model of human behavior in phishing attacks,” Rajivan told HCA. Rajivan said he wants to continue the game-model research, hoping to figure out which types of people are most at risk. “We find that it is the personality characteristics of the end-users [victims] that are stronger determinants of their own susceptibility to phishing attacks.”

The hope is that this information will give users better tools than just “don’t click on links in emails,” which the researchers noted was unrealistic. If they can identify who exactly is at risk, and why they’re at risk, they might be able to train vulnerable users out of the habits that make them susceptible.

In other words, if you’re already sensitive to negative responses or authority figures, or just plain gullible, you may be at risk. And unless you’re the one in a million who has a relative in a royal family, don’t offer to help anyone you don’t know claim their inheritance. Cybercriminals might be getting smarter, but age-old scams never die.

Related

February's Reported Data Breaches: Over 140,000 Patients Potentially Impacted

Defending Your Data From the Dark Overlord

Trickle-Down Cyberwarfare Is Harming Just About Every Industry