The Psychology of Phishing

An anonymous reader writes Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals understand that we are a generation of clickers and they use this to their advantage. They will take the time to create sophisticated phishing emails because they understand that today users can tell-apart spam annoyances from useful email, however they still find it difficult identifying phishing emails, particularly when they are tailored to suit each recipient individually. Fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department at a FTSE 100 company typically expects less than a 2% click rate on their advertising campaigns. So, how are the cybercriminals out-marketing the marketing experts?

well

[Osgeld]

The criminals offer people stuff they want, marketing offers people shit they don't want. Seems simple enough

Re:well

[dunkindave]

The criminals offer people stuff they want, marketing offers people shit they don't want. Seems simple enough

Except the article is about spear-phishing. In spear-phishing, the emails are tailored to the intended victim, pretending to be from someone the attacker knows or believes the victim trusts, such as an email from their boss or their HR department, and the emails normally include information that the victim assumes isn't public which adds to the email's trust. Such emails may pretend to contain important employee training updates, company newsletters, specific conference information for conferences the target is known to attend, references by project name to projects the victim is working on, etc. This means the spear-phishing email is very different from typical spam which is clearly marketing, or so generic as to be obvious spam. It also means that without confirming the email's legitimacy via out-of-band methods, it may be virtually impossible to verify if it is real or not.

The problem for the defenders is the only real defense against a well crafted spear-phishing email is to instruct people NEVER to open an attachment, to click on a link, to visit a website if so instructed, or even to respond with information that may be requested. But such a world would render most business email useless.

Not everyone is train-able

[Taco Cowboy]

How are spammers successful so often? Simple, companies don't train people

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in

It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource

No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached

Re:well

[dunkindave]

No, like if they want to gain access to data in company ACME Co, they do some research about that company, find people who belong to it, often in specific groups they are particularly interested in (the missile division of ACME for example), then seak out information on these people, like what conferences they have attended (attendee lists are often published on the web) or what projects at the company they are working on (a newsletter on the web mentions them in a small article about the Ramrod SuperAgile Counterstrike Missile System), then send them an email tailored just for them: Hi Joe, we found another missile system using flight parameters that may be interesting for use in the Ramrod. Here is the website..., signed your coworker Frank.

The spam from your bank doesn't normally address you by name, or mention details like your account number or which local branch you use and when. In fact, it is the lack of such details that most people use for clues that it is spam, so when those details are there they typically trust it. That is the gist of the article.

If you tried fixing that you did it wrong

[Anonymous Coward]

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

Doesn't help if you start out with not even trying.

You can try and teach people the finer points of literature but if they can't even read or write, they're lacking some basic knowledge to build upon.

This basic knowledge in computing has for ages been refused to people on the grounds that the software was "intuitive" and so would convey the basics by osmosis. Turns out it doesn't.

Even something as basic as the difference between To: and Cc:, I've seen people assume "first goes in To:, rest goes in Cc:, and that's not how it works. But nobody had bothered to explain even that. What's the difference, what do we use it for? Poor sod didn't know.

Instead the software provides an environment where all you can do is click and so that's all that people will do. Without looking where they're clicking because looking before you click has been made extra difficult, and so they've long been discouraged from engaging their brains on the question what they're doing. So if the thing in front of them presents them with a link, they're going to click on it, and you cannot blame them.

Similar with how to write reply emails. Why would you slap a single line atop someone's letter and send the entire thing back? Why then, do it with email? Nobody explained how to do it properly so everybody does it wrong, exactly as the (most popular but most poor excuse for an) email client provides. The results are mostly unreadable wastes of time but nobody knows they can do better with trivial effort and so it doesn't happen.

At the very least, should've given them an email client that doesn't do html and doesn't do links. Requiring people to copy/paste the link would be a simple, basic security measure because it requires engaging a few more braincells and actually looking at the url at least while copy/pasting, increasing the chances that dangerous links get spotted. Also because now the href cannot be hidden as easily.

Don't believe me? We live in the age of the veritable flood of poorly-written messages, to the point that most corporate communication consists of poorly worded laments that the communication is so poor. There's no discerning malicious from the merely inept there. It's all crap and yet you have to slog through it. And so that's what the poor untrained drones do.

This isn't really automation, it has nothing to do with empowering users. It's using technology to make puppets out of untrained meat sacks. You really shouldn't blame the meat sacks here.

Security issues of emails ..

[lippydude]

"Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today."

Only on Microsoft Windows, the Operating System that made clicking on a URL or opening an email attachment dangerous. Mainly because Windows doesn't know the difference between OPEN and RUN. If you want to be safe doing your online banking then use a LiveCD [ubuntu.com]

Re:well

[FireFury03]

How are spammers successful so often? Simple, companies don't train people.

Or they train them with exactly the opposite of good behaviour.

Case in point: a few years ago my (at the time) bank sent me a marketing email (and yes, I confirmed it was legit). It wasn't from the bank's normal domain name and it contained lots of links to product descriptions that were also on an unusual domain. It said that I could verify it's authenticity because it contained the first half of my post code (i.e. something that's trivial for anyone to find out). I complained to the bank and the regulator - neither of them would do anything. The bank's excuse was that none of the pages linked from the email asked for my bank credentials so it was ok. This kind of thing trains people to expect that their bank will legitimately send them emails with clickable links that don't go to the bank's main website - the distinction between a link that asks for your credentials and one that doesn't is going to be lost on a lot of people.

Similarly, my Paypal account is currently suspended because they sent me an email telling me I needed to "verify my ID" (by sending them a scan of my driving licence)... this email went into the bin along with all the phishing emails asking me to "verify my paypal account", so when I didn't send them any ID they suspended the account.

Now, banks _do_ need to communicate with their customers, and I can't discount email as a viable method for them to communicate, but they really really need to start providing a sensible method for people to authenticate the legitimacy of the email - why the hell don't they MIME sign the messages, for example? At the moment they are sending out emails that are indistinguishable from phishing messages and then blaming the customer when they get phished.