Your brain vs. phishing
Phishing is a term that unfortunately needs little introduction these days. Yet cybercriminals still manage to deceive even well-secured companies. How is that possible? And why is it so effective? Let’s take a closer look at what phishing is, how it has evolved, and how emotions are used to trap us.
What is phishing?
Phishing is a type of social engineering attack—a technique that requires human interaction to exploit weaknesses and deceive victims. The goal is to bypass security measures and gain access to sensitive information, such as login credentials or financial data. While it most commonly occurs through email, phone calls and text messages are also popular methods.
Phishing comes in many shapes and sizes. Check out this blog to learn about the different types of phishing.
The evolution of phishing
This type of cyberattack has evolved over the years and has become much more sophisticated. Despite the fact that some scams appear outdated, they still generate significant profits. That’s why this cunning method persists.
According to a CNBC report, Americans lost more than $700,000 in 2018 to the “Nigerian prince” scam. This scam involves a supposedly wealthy Nigerian prince urgently needing to transfer a large sum of money, asking for a small deposit or your bank details to “safeguard” the funds. In reality, victims find their bank accounts drained and face repeated requests for money until they realize it’s a scam.
But why do people still fall for phishing? The answer lies in human psychology. People are vulnerable to these attacks because our emotions often get the better of us. Feelings like fear, frustration, pride, FOMO (fear of missing out), and greed can make us susceptible to manipulation.
The role of emotions in phishing
Social engineering techniques like phishing exploit human emotions to deceive victims. A common tactic is creating a sense of urgency, prompting the victim to act quickly without thinking things through. For example, an email claiming your account needs immediate attention might cause panic, leading you to act hastily without verifying the email’s legitimacy.
How can we defend ourselves?
Understanding the psychology behind phishing is the first step in defending against these attacks.
According to Daniel Kahneman, our brain operates using two systems:
System 1: fast, automatic, and emotionally driven.
System 2: slow, rational, and deliberate.
This dual-system theory provides insight into the phishing process. Phishing targets system 1, causing us to make mistakes before system 2 has a chance to intervene.
As an organization, you can make phishing training more effective. Trainings focused solely on system 2 (rational decision-making) won’t suffice. Frequent, unexpected simulations are needed to help employees instinctively recognize phishing attempts.
Practical tips for your organization
- Optimize e-mail security: Simply make sure you have great e-mail security. This way, Phishing can’t even be seen or opened.
- Regular training: offer monthly and unpredictable phishing simulations to keep employees alert.
- Varying difficulty levels: use phishing simulations with different levels of difficulty, from simple to highly sophisticated, to prepare employees for real-world attacks.
- Rewards and gamification: make phishing awareness enjoyable by incorporating rewards and game-like elements. This boosts motivation to stay vigilant.
- Positive reinforcement: instead of penalizing mistakes, use a personal approach to help employees understand where they went wrong and how they can improve.
Need help implementing awareness training in your organization? We’re here to assist you. Schedule a free consultation with one
of our specialists today.