Why are phishing attacks so successful? It’s psychological

Why are phishing attacks so successful? It’s psychological

- Cyber security - Phishing

23-02-2022


Contrary to most people’s perception of cyber security being purely a technology-driven concern, phishing attacks actually focus on people. Our customers. Our suppliers. Our staff. Us.

According to the UK Government’s Cyber Security Breaches Survey, most cyberattacks launched against British businesses involve phishing.

In this article, we explore phishing (just one of many social engineering techniques), how to recognise an attack when it’s happening, and how your organisation should respond.

What is phishing?

Phishing is a way of using communications systems like emails, text messages, and phone calls to trick people into revealing otherwise private information or to install malicious software on their devices and networks.

How does phishing work?

Phishing relies on the shortcuts we take every day in our decision-making processes. Given the pace of modern life, we simply don’t have time to do a full risk analysis on everything we want to do or we’re asked to do.

So, if a hacker claiming to be an authority figure (say, a company director) emails or calls a member of staff and asks them to do something, many will probably just do it because they are eager to please or concerned they may get in trouble if they don’t. And where do criminals get the information they need? Most often: LinkedIn. The hacker is relying on their target not knowing their director well enough to recognise their voice or their style of writing in emails.

If they’re pretending to be from the police or HMRC, scammers will often combine authority with bullying, coercion and blackmail to make the victim think they’ve got no choice but to comply.

Occasionally, hackers will hack into a company’s email system or computer network to impersonate members of staff. A scary example of this type of phishing is something called ‘conveyancing fraud’. In this type of attack, a hacker manages to intercept communications between a solicitor and someone buying a home. They’ll pretend to be the solicitor and, at some point, they’ll ask their client to transfer the money across for the deposit on the property they’re buying.

Of course, they’re not transferring money to their solicitor’s account – they’re transferring it to the hacker instead. People have lost fortunes via conveyancing fraud and it can be days or weeks before someone realises that they’ve been a victim.

Other times, criminals will play on FOMO – the fear of missing out. They’ll make their victim what appears to be an incredibly attractive offer but give them very little time to make their mind up. Scammers here are using the same impulse we have when we see ‘80% off’ signs in shop windows to manipulate us.

How does phishing differ from spam?

Phishing takes many forms, but the most common is email. When a phishing email is sent en masse to hundreds of thousands of people, it does share a lot in common with spam.

But this is far from the only type of attack hackers can launch.

Often, they will scour company websites, LinkedIn profiles and other social media platforms to better understand the hierarchical nature of a business. They’ll then spoof the email address of someone in authority and email or call a victim to ask for the WiFi login details or pressure them into paying a bogus invoice.

This approach is called ‘spear-phishing’ or, if the CEO or MD of a firm is being impersonated, it’s ‘whaling’ or ‘CEO fraud’.

Phishing attacks made over the phone are called ‘vishing’ – there’s currently one in Britain involving a voice broadcast of someone purporting to be from HMRC’s investigations team.

When delivered by SMS text message, these are called ‘smishing’ attacks. Most people are now familiar with text messages supposedly from parcel delivery companies claiming that you need to pay online to receive a parcel.

Phishing is a multi-headed beast – attackers have even been known to hijack companies’ websites. To the outside world, the site is identical but the hackers have changed the site so that they’re also sent the personal and financial details of people placing orders (this is called ‘pharming’).

What are the signs of a phishing email?

There are two types of signs that an email you have received might be a phishing email – technical and content-related.

The technical

With every email that asks you to do something, you should check to see if the domain name it’s been sent from is the same as the company’s domain. It might say, for example, ‘Amazon UK’ in the ‘from’ field but the actual address it came from may be something completely different. In a case like this, don’t click links in your email, go to the website directly either via search engine or by typing in the URL directly.

Malicious software like ransomware is sometimes embedded in attachments on the emails you receive. Make sure that before you open any attachment, you have anti-virus software and your systems are up to date with the latest security patches.

The content

The other is content-related. If an email is asking you to do something urgently or it’s asking you to do something you wouldn’t normally do, this may be a phishing email. Do your due diligence before responding by asking the person named in the email directly whether they asked you to do this – by telephone (on a number you know, not the one in the footer of the suspect email) or face-to-face, if possible.

Sometimes the appearance of a phishing email just looks wrong, including lots of spelling and grammatical errors. This may be for several reasons, one of which might be to evade spam filters and the other a belief that only the most gullible would respond to such error-prone content.

Why is phishing a popular approach with cybercriminals?

Standard phishing is popular with many cybercriminals because a) people fall for scams, b) email and phone charges are minimal, and in the case of spear phishing, c) you only have to be right every now and again to make a fortune from it.

Spear phishing involves a lot more time and research to get right than standard phishing attacks but, with these attacks, cybergangs are generally looking to achieve bigger pay days.

Perhaps the biggest reason for its popularity though is that cybercriminals can operate from anywhere in the world with almost guaranteed anonymity.

How to stop phishing emails

Truthfully, there is no way to stop all phishing emails from getting in, even with powerful filters.

But there are actions you can take to stop phishing emails from being successful.

Staff need to be aware of what to look for, what actions to take when they suspect they’ve received a phishing email, and be rewarded in some way for their care and attention.

And that’s where PGI will help. We can help you build your technical defences then we can help you train your staff on the threat that phishing presents and monitor their performance.

Let’s start the conversation; contact us via email sales@pgitl.com or call us on +44 (0)845 600 4403.

Ready to get started? Speak to one of our experts.

If you have any questions about our services or would like to learn more about our consultants here at PGI, please get in touch with us and speak with one of the team, call us on +44 (0)845 600 4403 or email us at sales@pgitl.com

Get in touch

Want to find out more?