New research on the psychology behind phishing reveals where some of our biases and weak points lie. By being aware of our mental tendencies and our vulnerabilities, we can help safeguard ourselves from ever falling for the bait, says cybersecurity expert Daniela Oliveira.
The term “phishing” was first used in 1996 to mean “a scam by which an internet user is duped into revealing personal or confidential information which the scammer can use illicitly.” Since then, phishing has exploded in volume and intensity. At least 3.4 billion phishing emails are sent out worldwide every day, and phishing scams account for half of all fraud attacks, according to Valimail’s Email Fraud Landscape for Spring 2019 report.
When it comes to phishing, it’s possible to lose everything with just a click. In fact, you probably know people who have — who gave away their most important personal or financial information, or downloaded a destructive virus, or ended up installing malware on their computer that compromised their files. In the infamous case of John Podesta, Hilary Clinton’s campaign chairman for the 2016 presidential election, his clicking on a phishing email allowed a foreign nation to steal politically sensitive emails. That’s the power of phishing.
Phishing emails are carefully designed by scammers and criminals to manipulate our emotions and tap into our unconscious biases, so humans are practically hardwired to fall for them, says cybersecurity expert and computer scientist Daniela Oliveira, an associate professor at the University of Florida in Gainesville. Deception “is as old as human beings, and phishing is deception in cyberspace,” she says. Many efforts to combat phishing involve deploying technology-based solutions and strategies, but Oliveira is interested in using psychology to understand why people fall for phishing and how to protect them from being duped.
Phishing emails use emotional tactics to get us to bypass logic—and click the link. To explain why phishing works, Oliveira turns to Nobel Prize-winning psychologist and economist Daniel Kahneman’s model of two systems of thinking. System 1 is fast, intuitive, and emotional — “ like when you come to a doctor’s appointment and you decide where to sit,” she says. System 2, on the other hand, is slow and deliberate. Because we have to make thousands of decisions per minute, we need System 1, which depends on mental shortcuts to help us move through life efficiently. For instance, we have a truth bias, a belief that others are more likely to tell the truth than to lie; to assume otherwise would be exhausting. But biases like this can also leave us open to unwise decisions, by, say, making us predisposed to assume that an email which says it’s from our bank updating our password is really from our bank.
By appealing to our biases and emotions, phishing tries to get us to stay in automatic mode, aka System 1. Phishers want users to “make a fast, not a thoughtful decision,” explains Oliveira. In order to do so, phishing emails frequently manipulate us via mental shortcuts, also known as heuristics. Psychologist Robert Cialdini has identified seven such shortcuts, which he calls “psychological principles of influence.” These principles include authority, commitment, liking, perceptual contrast, reciprocation, scarcity and social proof.
All of these principles can be exploited by phishers. An email claiming to be from the US Internal Revenue Service, for example, takes advantage of the fact that people tend to obey orders given by authority figures. An example of reciprocity in phishing could be getting an emailed coupon and being asked to click on a button to sign up for the retailer’s newsletter; many of us feel naturally inclined to pay others back in some way when we get a gift or freebie.
Oliveira teamed up with psychologist Natalie Ebner, also at the University of Florida, to study how people of different ages reacted to different phishing tactics. Under the guise of wanting to study internet usage, the team recruited a group of people who ranged in age from 18 to 89 to participate in a 21-day study. On every day of the study, Oliveira’s team sent participants a so-called “spear-phishing email,” that is, a phishing email that is somewhat tailored to the individual. They drafted these emails based on real phishing examples and designed them to implement all of Cialdini’s principles.
The team also targeted their emails to different aspects of life, such as finances, health, ideological issues, legal issues, security and social issues. For example, one fake email employed the scarcity tactic in finances, offering the victim a discount on their next electric bill if they filled out an online survey within the next three days. Another informed the recipient that they had committed a parking violation and asked them to click a link to get more information and pay the fine, exploiting the tactic of authority within the legal realm. If the user took the bait and clicked on the link in the phishing email, they were sent to a fake, innocuous webpage, and the researchers recorded a hit. In addition, participants were asked to report their mood every day, which allowed the researchers to measure their positive affect — that is, how intensely a person feels positive emotion. Participants aged 62 and older were also given a 30-minute test over the phone that measured different cognitive functions.
Who fell for the phishing emails? Nearly half of the people did: 43 percent of participants took the bait at least once and 11.9 percent clicked more than once. Older women (those aged 62 and older) were significantly more susceptible than any other group.
But not every phishing tactic was equally successful with each age group. Younger adults (18-37) were significantly more susceptible to emails that claimed scarcity (the limited-time electricity bill discount, for example), while older adults (over 62) fell for reciprocity. Overall, authority stood out significantly as the most convincing appeal for all ages, and all users were significantly more vulnerable to emails that dealt with legal issues. One email read, “Our resources have indicated that you have a parking violation from 12/17/2015 at SW 89th Avenue at 3:34PM. Please go to our website to obtain more information about the violation and to pay your fine or refute or ticket.”
The pull of authority and legal issues was not surprising to Oliveira. “As human beings, we try in general to avoid breaking the law, to conform to norms and rules,” she says. “It’s how we’re hardwired to behave.” For example, she states that many people fall for phishing emails claiming to come from the United States Internal Revenue Service. While our first instinct may be to comply with a request from such an authority as quickly as possible, “of course we should be careful and double check,” she says.
One concerning finding had to do with people’s assessment of their own susceptibility to email scams. At the end of the study, participants were asked to read a set of 21 phishing emails (different than the ones they had gotten in their inboxes) and rate how likely they would be to click on each one. Interestingly, people indicated a low likelihood that they’d fall for them, but contrast this with the fact that 43 percent of the group clicked on a phishing email at least once. And with older users, this divide was even greater. Adults younger than 37 were more aware of their vulnerability than adults over 62 were. Oliveira says this is “more problematic”: “Older adults are more susceptible and they are less aware.”
Another discrepancy between the age groups: Adults under the age of 37 clicked less often on phishing emails as the study went on, which suggests they might be learning with experience. However, adults over the age of 62 clicked just as often during the beginning, middle or end of the study. This is a cause for concern, says Oliveira, because “this is a very important population. Not only do they hold many positions of power” — think CEOs, heads of state, senior leaders and judges — “but they also accumulated assets over their long lifetime, and these assets are online.”
The good news: Higher cognitive function and certain emotional characteristics seemed to protect older adults from attack. For instance, adults aged 62-74 who scored higher on measures of verbal fluency, or who had greater positive affect, were more aware of their vulnerability. Among the oldest participants (ages 75-89), people who scored higher on parts of the battery that tested short-term episodic memory seemed to be protected from phishing emails, as did people with greater positive affect. Young users also seemed to benefit from higher positive affect.
Oliveira says it’s too early in the research to know precisely why different age groups are more susceptible to certain tactics. Similarly, it’s not clear why older women were the most vulnerable group, although psychology research has shown that as cognitive ability declines with age, people in general appear to become more vulnerable to deception.
But here’s one thing we can take away now from this research: We can realize that it’s human nature to scan emails when we’re in knee-jerk System 1 mode. And we can counteract this tendency by prompting ourselves to go into thoughtful, System 2 mode with emails that ask for important information (such as passwords or account numbers), request payments, or dangle freebies, especially downloads. So, before clicking on a link to get a complimentary e-book of recipes or settle a fine, you could remind yourself to “engage in System 2 and say, ‘Wait a minute; let me double-check,” suggests Oliveira. Then take a moment to verify if the email is coming from a legitimate address or organization and recognize what we’re getting ourselves into when we opt to click on a link.
Understanding our vulnerability to phishing might also make any anti-phishing training we go through more effective. As of now, says Oliveira, trainings — which include games, lectures, tutorials, simulated phishing emails — don’t quite seem to do the trick. She points to a recent study, in which more than 3000 employees of a corporation were told how to recognize attacks. A few months later, when researchers phished the employees, the employees fell for the tactics they’d been trained to resist. Still, if a training were tailored to a certain demographic, it could be shortened so people won’t have to remember as much information, allowing them to better grasp and retain what they need to know, according to Oliveira. For example, people in an age group might receive a quick overview of different phishing appeals but learn more about the specific appeals that tend to work better on them and their peers in studies. “That’s what we’re trying to advocate moving forward,” Oliveira says. “Interventions and anti-phishing solutions should move from a one-size-fits-all to a more targeted approach.”
Susceptibility studies are still in their infancy, but as they continue, they could reveal more variations, by examining what appeals work on people of different occupation types or with different levels of education. The story might also change when researchers go beyond phishing attacks that gather personal data or spread viruses and look at how people respond to phishing attacks that spread misinformation, like fake news. The more we can understand the nuances of what drives us to set aside our judgement and click, the more we can equip ourselves — and our System 2s — to protect us, believes Oliveira.
Another takeaway from this research: To protect people from cyber attacks like phishing, internet security experts need to tap into the expertise of psychology, Oliveira says. Traditionally, cybersecurity has depended on technology-based solutions. “The fields of psychology and neuroscience are much older than the fields of computer science and cybersecurity,” Oliveira points out. “One of the points of our work is that my community — cybersecurity — is overlooking what other fields have already found.” While technology adapts and shifts quickly and frequently, humans don’t, she says — and anti-phishing strategies should take that into account: “Evolution has hardwired us to operate the way we do. We’re not going to change that fast.”
Watch her TEDxUF Talk here:
