The Psychology of Phishing

An anonymous reader writes Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals understand that we are a generation of clickers and they use this to their advantage. They will take the time to create sophisticated phishing emails because they understand that today users can tell-apart spam annoyances from useful email, however they still find it difficult identifying phishing emails, particularly when they are tailored to suit each recipient individually. Fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department at a FTSE 100 company typically expects less than a 2% click rate on their advertising campaigns. So, how are the cybercriminals out-marketing the marketing experts?

Remember

[djupedal]

It's the singer....not the song.

School smarts lose to street smarts.

Stopped using LinkedIn

[Animats]

I was getting so much LinkedIn related junk that I stopped using LinkedIn and sent all email from them, or purporting to be from them to trash. If LinkedIn isn't putting in the effort to find their attackers, why should I use them?

Re:well

[s.petry]

Sometimes yes, but not always true. Sure, "Free Porn" will get a whole lot of clicks, especially from uneducated people (who are usually schooled shortly thereafter by the spammer).

Professional phishing is geared to make it look like something the target company sent out. Working in DOD for about a decade, I saw some exceptional work. They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.

How are spammers successful so often? Simple, companies don't train people.

At the DOD site I worked at, it was a weekly training memo from our security team on the latest threats. Phishing was always a topic. People had to read the briefings or they could be terminated. 3-4 questions were enough to ensure people at least skimmed the content. Before you get anal about productivity, the email was a 2 minute read max, so even if you had to read it twice to answer the few questions it was a whopping 5 minutes out of your Friday.

We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once, and we had professional campaigns run against us several times a year.

Now, take the average IT company in Silicon Valley which spends no time training on these issues (if your company has security awareness training I'm not referring to you, your company is not "average"). Since their people lack training, it's not uncommon to see 10% success in a phishing campaign. Compounding the problem, people often won't report the breach until it's too late if they report the incident at all (cultural issue with many companies in SV).

Re:well

[vasanth]

We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once

or 1 out of 5,800 realised that they were being phished and many more never realised it...

People should look where they are going

[blackest_k]

The one that seems to catch people out is the link which they click on in a mail in gmail.
that takes them to gmail.google.com.myphishingsite.info/sessionexpired
which presents them with a message like session expired please login to your gmail account and the top line already has their email address all they need do is enter their password.

Most people don't question why would that happen a few seconds after clicking on the link
quite possibly because Google and facebook don't take you straight to a link they log it first by an intermediate page and then redirect you to the destination (i see it all the time on my slow connection).
The page looks authentic and they tend not to look at the address bar and see the bolded address myphishingsite.info.
often its a site like fgjfjhki23d.info a random jumble of characters just like the ones a site like google and facebook use all the time. People are used to seeing this sort of thing
e.g http://it.slashdot.org/comment... [slashdot.org] of this address (taken from the address on this page) only it.slashdot.org make any sense to most people and thier eyes glaze over beyond the initial it.slashdot.org

Thats a problem without any training in website design then its pretty hard to tell the real from the fake.
Thing is once an email account has been harvested it immediately sends out a 100 emails to the address book of that user and the same thing happens again.

Most people think they had thier email hacked not realising they gave away thier password.
kind of hard to stop people for falling for this sort of thing. The emails are even clever enough to redirect to an alternative page once the fake webmail page has been brought up once.

People here would say its because people are stupid, but most people just don't have enough knowledge or interest in this area to know when something is fake or genuine.

It is probably impossible to fix especially when the sites we use everyday use random looking charactor sequences as part of the url.

Re:well

[gstoddart]

How did you know that others didn't click on it and then not mention it to anyone?

The company I work for does periodic in-house phishing/spam tests.

If you fail and click the link, you get sent for extra security training. They know, because they're the ones who own the machines you went to.

I gather a surprising amount of people actually fall for them. I find myself looking at "1 in 5800" and thinking "wow, you have some good training".

When my parents got on the interwebs, in so uncertain terms, I sat them down and had "the talk": The internet is a dark and scary place, and not something you just trust. I explained phishing and spam, as well as how to spot fake telemarketers and scams.

My parents have learned to be wary and a little skeptical when someone initiates contact with them, and know to ask for proof. On many occasions they've spotted stuff, though I still worry they might miss something.

But, I still remain amazed at how many people who work in technology fields still blindly click stuff. I expect senior citizens and the like to be less aware of this stuff, but if you've worked in technology for any period of time, you should know better.