How to recognise a phishing attempt
Have you heard of phishing? Maybe you think you’re too savvy to fall into the trap of these fraudulent attempts, which aim to extract sensitive information or extort money from you. No matter how careful you think you are, phishing is not something that only happens to others! It relies on strong psychological biases to which we are all vulnerable.
Summary
|
Although we are now more aware of phishing than we were several years ago, it is undeniable that online fraudsters have become more creative and are adapting their methods as we learn more about them. Sloppy grammar and junk texts are a thing of the past; fraudsters put a lot of effort into presentation and have become more adept at playing with your emotions to get you to suspend your critical judgement. Therefore, we need to strengthen our emotional “firewall” by understanding the mechanisms used by phishing fraudsters to trick their victims.
Phishing and digital cognitive overload
Our digital life has become intense compared with previous generations. Every day we receive and exchange dozens of emails and messages across a range of platforms and apps. While the vast majority of what we receive is authentic, we regularly come across fraudulent and potentially dangerous messages. Although we normally spot fraudulent messages, sometimes a strong emotion, curiosity or a significant cognitive overload can lead us to let our guard down and fall into the trap. That is precisely what phishing sets out to do.
Phishing is a form of online fraud that aims to steal the personal information of users. Phishing can occur through a number different channels: emails, text messages (smishing) or online messaging services. The fraudsters try to pass themselves off as a reputable organisation, such as your bank, telephone operator, postal service, etc. More often than not you are asked to click on a link that re-directs you to a fake website (similar to the original one), where you will enter your data.
In practical terms, victims may receive an email informing them their credit cards are going to be blocked or that their Facebook or email account are going to be deactivated. To prevent this, the victims are then asked to click on a link provided in the email which re-directs them to a (fake) web page. There, they are asked to provide their personal data to prove that they really are the owner of the card or account in question. The data entered is then collected for malicious purposes.
Recently, increasingly sophisticated forms of phishing have emerged to try to trick even the most wary victims. It is also possible to be misled by fraudulent messages that imitate video conferencing sites or online collaborative work platforms.
The most connected people are not the best protected. In fact, they are actually the most likely to fall victim to phishing.
Being a victim of phishing is not a rare event; according to the Verizon 2022 Data Breach Investigations report, almost 82% of data breaches are caused by human error. It is noteworthy that being a victim of phishing and voluntarily disseminating data is among the five most common human errors. Contrary to what is usually thought, the most connected people are not the best protected. In fact, it has been shown that those who are the most active in the digital world are the most prone to fall victim to phishing.
It is therefore important to understand how phishing works in order to analyse why these scammers continue to strike so effectively despite regular warnings and information campaigns about this type of digital fraud. The answer lies in the psychological and emotional biases exploited by phishing fraudsters.
The mechanisms of phishing
Phishing blends in
We all receive huge amounts of emails. As digital communication has become part of our norm, it is fairly easy to hide malicious requests among authentic requests. Therefore, one of the characteristics of a phishing message is that it seems legitimate. It looks just like one of the many emails that we receive from reputable institutions or businesses. The message often relates to issues that concern you directly, your work or your interests.
We are so accustomed to scrolling through our messages and opening those that are of interest to us, that we sometimes get carried away. Unfortunately, some of these messages that are interesting at first glance are in fact malicious. They may contain links or attachments that encourage us to visit fake websites, disclose information, send money or download a form of malicious software.
Phishing relies on the power of social norms
In their phishing messages, fraudsters almost always pose as trustworthy organisations or legitimate contacts. For example, they will use an URL which is almost identical to that of a well-known website, such as www.luxtrast.lu instead of www.luxtrust.lu. By using the visual style of a legitimate sender or by purchasing domains that look like real domains, they take advantage of our instinct to take things at face value.
They are also aware of our tendency to obey figures of authority that we recognise as legitimate. The messages are therefore frequently signed by people in senior positions, such as a “bank manager”, “head of human resources”, “commander-in-chief” or even CEO.
Phishing fraudsters know that we are social animals with a herd mentality.
Lastly, phishing fraudsters know that we are social animals and that we are more likely to cooperate when we believe that the majority of our peers have already acted in the same way. Phishing messages using social norms often claim that other members of a group have already followed their instructions, for example: “90% of your company’s employees have already registered”. These techniques can be very effective because they play on our attachment to social norms as a guide when dealing with a new situation.
Phishing arouses our curiosity
Curiosity is a powerful driver of human behaviour. It encourages us to innovate, to go further, to try and find out more. It captures our attention, but it also creates a tunnel vision effect that blinds us to what is not directly in front of us. This can lead us to open an attachment without thinking in order to take advantage of the promise of a unique opportunity. When asked why they opened these emails, most phishing victims admit that they clicked on them out of curiosity while suspecting that a scam might be involved. Curiosity is a powerful incentive that needs to be kept in checkl!
Phishing exploits our primary emergency mechanisms
Many phishing messages play the emergency card. Be wary of messages promoting a limited-time offer or one-off discount, inviting you to a court summons or threatening to block access to an account.
The emergency affects our stress levels and our brain goes into alert mode. This tends to neutralise all other thought mechanisms in order to deal as quickly as possible with what we perceive as an immediate emergency without trying to contextualise it. Acting mindlessly is precisely the reaction hoped for by these criminals. Don’t be fooled!
Phishing plays on our feelings
The role of emotions in decision-making is well known. As a loyal reader of myLIFE, you will surely know that emotions are often bad advisers. High levels of emotion can distort our judgement and lead us to behave impulsively.
Phishing fraudsters tend to exploit six basic emotions: anger, curiosity, reward, confusion, fear and greed.
Phishing fraudsters tend to exploit six basic emotions: anger, curiosity, reward, confusion, fear and greed.
For example, the fraudsters may use the promise of a monetary reward or an attractive prize to provoke an emotional response – in this case excitement – in their victim. They may also use emergency alarm signals to generate a feeling of fear and immediate threat.
Phishing messages are often presented as requiring urgent action, for example: “Your account will be closed if you do not verify your data immediately” or “Someone has obtained your password”. This emotional reaction increases the risk of irrational, impulsive behaviour that can lead to personal information being disclosed.
The important point is that phishing fraudsters have found ways to circumvent some technological firewalls by exploiting your psychological biases to negate your cognitive firewall. It is not enough to have the right technology and to be aware of how phishing works; you also need to learn to keep a cool head and take a step back when examining all these messages received on a daily basis.
Good practices to protect yourself from phishing
-
- Never click on hyperlinks received by text message or email from suspicious sources. Don’t download the attachments either.
- Be wary of messages that encourage you to react quickly or ask you to provide personal data.
- Never share personal information in response to a request received by email, text message or another messaging service. Just remember that serious organisations and businesses will never ask you to disclose personal data via email.
- Never save your card details on e-commerce websites: your data may then be misused for fraudulent purposes.
- Never allow software to be installed remotely on your computer or smartphone in response to a request from an unknown source (i.e. tech support scams)
- Always check whether the message is addressed to you personally or whether it contains mistakes or erroneous translations.
- Be wary of changes of address: At first sight, the link seems authentic, but on further examination it can be seen that the URL contains unusual or incorrect elements which suggest that it is a false address (e.g.www.luxtrast.lu instead of www.luxtrust.lu).
- Hover the cursor over the link before clicking. If the link’s URL does not correspond to its description, you risk being re-directed to a phishing page.
- Check that the email address corresponds to the sender’s name. Also check whether the email has been authenticated and whether the real name appears in the header.
More information on the good practices for dealing with phishing is available on myLIFE, on your bank’s website and on the BEE SECURE website, the Luxembourg government’s initiative for cyber-security awareness.