Phishing has long been a crucial part of attackers’ arsenal. The technique is often deployed against companies and their employees, tricking them into clicking on the provided links and thus initiating various malicious campaigns. To counter the success of phishing, many companies have started various employee trainings to help them recognize fraudulent attempts via email, social media and on the phone.
The Psychology of Phishing
Despite the awareness and the increasing number of company trainings, people still fail to recognize phishing attempts and end up being infected. In many cases, entire enterprises suffer enormous financial losses as a result of one employee opening a phishing email and executing the malicious file attached within. In other words, knowing about phishing does not always prevent from clicking.
In a couple of experiments carried out in 2016, researchers concluded that 78% of their test subjects stated were indeed aware of the risks associated with phishing and interacting with unknown links. Only 20% from the first study and 16% of the second experiment said that they had clicked on the link. However, later researchers established that respectively 45% and 25% had clicked on the links. Did the participants lie? Researchers believe that they may have simply forgotten about the message after having clicked on it.
So, why does phishing continue to be so successful despite the awareness programs in organizations and the widely available information? The secret of success lies in the psychology of phishing… and in the subjects of these deceptive emails.
Phishing emails are becoming harder to recognize and block just because they have become very convincing. On top of that, employees don’t usually hesitate and proceed with opening the potentially malicious emails even when they are aware of the risk.
“I think it’s to the point where it’s getting commonplace,” he says. “Users are used to seeing phishing emails now. They suck at not responding to them or clicking on them … which is frightening, because [attackers] prey on human nature,” explains Webroot CISO Gary Hayslip. “No matter how much technology you put in place to block them, stuff always gets through,” the security experts adds.
The Most Popular Subjects in Phishing Emails
In order to get acquainted with the recent trends in phishing emails, Webroot recently scanned thousands of such emails gathered from the past 18 months. Hayslip presented the findings to other CISOs only to find out that “almost everybody’s seeing the same thing,” in his own words. Phishing emails generally have one thing in common and it is the sense of urgency they create. The urgency is usually built on financial topics, starting with the subject line.
In fact, it isn’t really difficult to spot a phishing email just by looking at the subject. These are the seven most common subject lines in such messages.
- ‘Assist Urgently’, Urgent, Quick Review
- Invoice, Payment, Statement
- Bank of [name of bank], Notification [associated with said bank]
- Verify your account
- Copy, document copy
- ‘Action Required: Pay your seller account balance’
- ‘AMAZON: Your Order no #812-4623 might ARRIVED’
As visible, they are all creating the above mentioned sense of urgency and are all examples of call-to-action. The receiver is urged to do something immediately, and the action is typically associated with revealing personally identifiable and financially related information.
If you are tricked into revealing your personal or credit card information, your real accounts may be compromised, and your identity may be stolen and misused. In case you encounter such an email, don’t open it, or if you do open it – don’t interact with any of the links or attachments. In addition to being robbed, your system may be flooded with malware.