We fall for them often. The crafty workings of phishing emails continue to find its way into companies through employees. Everyone – tiny, small and large companies – continue to fall victim to their strategic workings. And in the heart of their plan lies a psychology-based approach to making employees click on that link.
How often do these attacks occur? According to Wombat Security’s 2016 State of the Phish report, “85% of organizations have suffered phishing attacks.” That’s a large number. Common stories you’ve heard in the recent news might include Google’s phishing scandal in May 2017, or the fact that the US Securities Commision was victim of a recent phishing attack. The stories are too common.
The latest statistic from PhishMe declares that 91% of cyber attacks start with a phishing email. The truth is phishing is a common tactic. Surprisingly, it’s still hard for employees to spot a potential attack, and we have many click-happy employees on the loose.
The tough news, we’re a generation of clickers. With our heightened involvement with social media, clicking seems to have been woven into our DNA. We are less sceptical of strangers that ‘friend’ us on Facebook, and we’re more willing to friend people we’ve never meet. Remember when mother told us not to talk to strangers? Sadly, this old-school theory needs to be taken online.
What do we do with these click-happy employees? Despite training, 30% of phishing emails are opened by the receiver and is the number one delivery method of cyber attacks. Managers need to take the time to understand the psychology behind why employees click, then bring that knowledge to the team. It’s one added layer of security on top of the already established information security training program.
Approximately 95% of cyber attacks and events involve preventable human error and behavior weakness. We want to change this. These are common behavioral loop-holes that cyber criminals enjoy exploiting.
1. They know when you’re stressed. It’s the end of the month, and you’re running to finish up the sales report. It’s Friday, and you’re running out the door to make it to your child’s little league baseball game. Cyber criminals know where you’re stressed and not at your 100% awareness peak.
2. They enjoy sending during peak hours. You walk in Monday morning, and the first thing you do is check your email. Yes, we’re all victims of this. Cyber criminals enjoy taking advantage of high-peak hours when they know your eyes are on your email inbox. They’ve done the research they know when to find you. Scary, huh?
3. They enjoy using your managers and CEOs as leverage. You’re more likely to open an urgent email from your boss and a high executive. But be warned, cyber criminals are taking advantage of this ‘chain of command’ and authority awareness to make your click-rate increase.
4. They become your secret friend. We talked about how we’re becoming more “friend happy” on Facebook. Cyber criminals are using the power of friendship to gain credibility and become more personalized. Imagine this. They become friends with you on Facebook. They learn your favorite hobbies, your first name and your upcoming vacation plans. Now, they have all the right materials to write a very compelling phishing email.
5. They use fear. We humans run from fear. Fear makes our breathing faster, and our palms sweaty. Fear also involves sometimes us being irrational and making sudden decisions. Cyber criminals pry on this behavioral piece by creating urgent emails that demand you click quickly, or something bad will happen.
6. They take advantage of your overconfidence. Yes, it’s possible to become overconfident about never clicking a malicious link in a phishing email. It happens to everyone else, but it’ll never happen to me. I’ve completed a training program, and I’m an A+ expert. Don’t let the criminal get the upper hand by letting them take advantage of this simple behavioral trait.
To be successful, employees need to learn the psychology behind why they’re clicking malicious emails. Many simple methods are being used by cyber criminals, and it’s time to stop letting them get away with it. Employee monitoring and behavioral analytics is another method companies can utilize to bring awareness to phishing and fight the psychology factor.