The psychology of social engineering and phishing

There’s a reason phishing attacks are known as social engineering. They’re human-activated, and simply don’t work unless someone takes the figurative bait. That’s why even though phishing originates externally, it falls under the umbrella of insider threat – someone internal needs to make a mistake.

Phishing is ultimately an emotional attack. It plays on our emotions and tricks us into doing something we wouldn’t normally do when we’re concentrating at our best. So what specific psychological tricks do cybercriminals use? And how can we use that knowledge against them?

Why do we still fall for phishing?

Many people think they would never fall for a phishing attack (or scams in general) because they’re educated, experienced professionals. They may even have gone through rigorous cybersecurity training. However, this overconfidence can lead to complacency, which is exploited by criminals.

In fairness, most people with even basic cybersecurity training do know the warning signs of phishing. They’re diligent at work, and they don’t act recklessly. The truth though, is there are times when any of us can become stressed, tired, or forced to rush. It’s in those mindsets where we’re most error-prone, and far better targets for phishing.

'Working on autopilot' is sometimes referred to as Type 1 thinking. It's how we spend a lot of our time, reacting intuitively to situations we've experienced many times before, like driving a car, getting dressed, or replying to an email. Type 2 thinking is where we slow down and apply considered, analytical thought to something, such as working out a math problem. In a Type 2 mindset, many people would spot the signs of phishing - which is why attackers have techniques to shift us into fast, automatic Type 1 thinking. 

Psychological triggers in phishing

The purpose of a phishing attack is to pull us out of our mindset of questioning the validity and security of communications. Consider the hallmarks of the most common form of social engineering – email phishing. These are just some of the psychological triggers scammers use to make us think emotionally, rather than logically.

• Urgency: a phishing email usually wants something done right now, as the longer you have to think, the more you may question whether it’s legit
• Plausibility: modern phishing attempts will be based on real-life, often mundane scenarios. An invoice needs paying, or a file needs sharing 
• Familiarity: there’s been a marked rise in spear phishing, where the attack is at least partially tailored to an individual – often claiming to be from an authority figure such as their CEO or head of security
• Confidentiality: the action required is specific to you and needs to be done by you alone, as getting someone else involved increases the chances of the scam being spotted

It’s also common for criminals to target people who have just moved to new companies (info that often can be easily found on social media), as fear and anxiety are powerful motivators. These people are more likely to be anxious to impress a new boss and unaware of the subtle signs that something is amiss with their communication style. If you’ve worked under a CEO for many years, you’ll most likely see the signs of a scam email. On your first day of work? Perhaps not.

Can we use psychology to protect ourselves?

Phishing attacks use psychological triggers to push us away from Type 2 thinking ant into Type 1 thinking. They wants us to act quickly, clicking and responding in autopilot rather than in a slow, analytical manner. That’s why urgency is so key in phishing – if we came back to the email later in the day, we might not fall for it on closer inspection.

It’s for this exact reason that so many people have an ‘oh no…’ reaction almost immediately after they’ve fallen for a phishing scam. We see the same thing with misdirected email. As soon as our brain slows down again, we begin to question what we just did. The training is remembered and the warning signs of a mistake start to creep in.

The problem businesses have is that it’s all very well understanding these psychological nuances – but how can they help people in practice? How can we get employees to think that split-second earlier? The good news is we can, with a little help from technology.

Want to learn more about the art and science behind why people fall victim to social engineering? Check out our on-demand webinar with Perry Carpenter of KnowBe4 and Egress VP of Threat Intelligence Jack Chapman in our on-demand webinar, The Mind's Lie: How to respond to employees thoughts and actions being hacked.

Even the odds with technology

Tools such as Egress Defend are able to give people a nudge back towards their calmer, more collected way of thinking. Because as we noted before, most of the time people can be trusted to do the right thing. Defend uses a combination of technology including machine learning and natural language processing to analyze the content and context of emails, then offer people 'real-time teachable moments' when the signs of phishing emerge.

The phishing threat has been neutralized, but people are also empowered to learn and understand why. Cybercriminals use psychological triggers to turn people into security risks – so we provide the tools to even up the odds and turn people into security assets. Most employees know the right thing to do, and it’s about offering a technological guardrail that can nudge them back towards the place where they make smart security decisions. See how you can augment your Security Awareness and Training with Egress.