The psychology of social engineering and phishing

Security challenges

There’s a reason phishing attacks are known as social engineering. They’re human-activated, and simply don’t work unless someone takes the figurative bait. That’s why even though phishing originates externally, it falls under the umbrella of insider threat – someone internal needs to make a mistake.

Phishing is ultimately an emotional attack. It plays on our emotions and tricks us into doing something we wouldn’t normally do when we’re concentrating at our best. So what specific psychological tricks do cybercriminals use? And how can we use that knowledge against them?

Why do we still fall for phishing?

Many people think they would never fall for a phishing attack (or scams in general) because they’re educated, experienced professionals. They may even have gone through rigorous cybersecurity training. However, this overconfidence can lead to complacency, which is exploited by criminals.

In fairness, most people with even basic cybersecurity training do know the warning signs of phishing. They’re diligent at work, and they don’t act recklessly. The truth though, is there are times when any of us can become stressed, tired, or forced to rush. It’s in those mindsets where we’re most error-prone, and far better targets for phishing.

For that exact reason, cybercriminals have been quick to pounce on the fallout of the COVID-19 pandemic. Our research shows only 28% of remote workers have access to a solo office, while 46% feel pressured to use email outside of office hours (often from mobile devices). Among others, these factors have made it even easier for hackers to press on the psychological triggers that make phishing so effective.

Psychological triggers in phishing

The purpose of a phishing attack is to pull us out of our mindset of questioning the validity and security of communications. Consider the hallmarks of the most common form of social engineering – email phishing. These are just some of the psychological triggers scammers use to make us think emotionally, rather than logically.

  • Urgency: a phishing email usually wants something done right now, as the longer you have to think, the more you may question whether it’s legit
  • Plausibility: the days of foreign princes offering a share of their fortune have gone… modern phishing attempts will be based on real-life, often mundane scenarios
  • Familiarity: there’s been a marked rise in spear phishing, where the attack is at least partially tailored to an individual – often claiming to be from an authority figure such as their CEO or head of security
  • Confidentiality: the action required is specific to you and needs to be done by you alone, as getting someone else involved increases the chances of the scam being spotted

It’s also common for criminals to target people who have just moved to new companies (info that often can be easily found on social media), as fear and anxiety are powerful motivators. These people are more likely to be anxious to impress a new boss and unaware of the subtle signs that something is amiss with their communication style. If you’ve worked under a CEO for many years, you’ll most likely see the signs of a scam email. On your first day of work? Perhaps not.

Can we use psychology to protect ourselves?

According to Dr Jessica Barker in a recent Egress webinar, the key to stopping phishing could lie in behavioural economics. We process information in two ways: the calm, collected way where we analyse problems in a measured, thoughtful manner. Like doing a difficult maths sum. And then the second, more impulsive way, where we act almost on autopilot – such as driving a car on an empty road.

Phishing attacks use psychological triggers to push us away from the first frame of mind and into the second. They wants us to act quickly, clicking and responding in autopilot rather than in a slow, analytical manner. That’s why urgency is so key in phishing – if we came back to the email later in the day, we might not fall for it on closer inspection.

It’s for this exact reason that so many people have an ‘oh no…’ reaction almost immediately after they’ve fallen for a phishing scam. We see the same thing with misdirected email. As soon as our brain slows down again, we begin to question what we just did. The training is remembered and the warning signs of a mistake start to creep in.

The problem businesses have is that it’s all very well understanding these psychological nuances – but how can they help people in practice? How can we get employees to think that split-second earlier? The good news is we can, with a little help from technology.

Evening the odds with human layer security

Cybercriminals aren’t looking for technological gaps to exploit when it comes to phishing – they’re trying to find cracks in the human layer. That’s also why the answer to phishing isn’t ever going to be technology alone. It’s about empowering people to become an integral part of an organisation’s defence, rather than seeing them simply as a security problem to be mitigated.

Human layer security tools such as Egress Defend are able to give people a nudge back towards their calmer, more collected way of thinking. Because as we noted before, most of the time people can be trusted to do the right thing. Egress Defend uses machine learning to analyse the content and context of emails in the background, offering people gentle traffic-light warning prompts when the signs of phishing emerge.

Some phishing emails will always slip through the defences, so we need to tap into psychology to beat them. Criminals use psychological triggers to turn people into security risks – so we provide the tools to even up the odds and turn people into security assets. Most employees know the right thing to do, and it’s about offering a technological guardrail that can nudge them back towards the place where they make smart security decisions.