Thursday, September 15, 2016

Understanding psychology of phishing

Everyone gets phishing emails. For scammers, it is probably the most cost effective way of scamming people. Sometimes phish emails are relatively harmless, but often they can be extremely harmful and trick you into parting with you personal passwords, log in details and bank information.   I wanted to collect a few to show you the types of phishing emails and psychology behind them, language they use and how the message will make you feel and want to react. 

First of all, the biggest and most important message and one I think every fraud agency should use is that phishing emails will have one fundamental thing in common; something to click, be that a link or an attachment. Clicking anything in an email is bad, even if it came from your friends, as people's email accounts can be easily hacked. What you should look for in that case is whether this is out of character for your friend. If so, don't click it. 

Let's examine the most frequent phishing emails and how they persuade. Most phishing emails are designed to evoke visceral states. Visceral states are sexual arousal, hunger, greed, fear and so on. When we are under visceral influence, we are likely to bypass careful information processing and act without proper thinking - because we are acting on that visceral influence. When you are starving, you are likely to eat stuff you would reject otherwise, when you are scared of something, you will do anything to save yourself from danger, when you are attracted to someone, you will do anything to get them... so let's see the language used by phishing emails. 

Those offering refunds 

Who doesn't like getting refunds and money back. The offer of free money often puts one in a visceral state of excitement and greed and this is precisely what the scammer wants. They want you to get excited at the prospect of free money enough to act straight away. 

 Who doesn't like a tax refund. Notice this one also have an expiration date, which will further influence you to act in the moment, fearful that you will miss a deadline.
Then there is a link you need to click. Probably will ask for your bank details so they can pay you. They give you 4 weeks so that you don't report anything for a while and they have time to scam you. 

TV licence refund anyone - when does that happen? Not even in your wildest dreams. Juicy link to boot - see how it stands out so you have no time to read anything else. 

Those offering free prizes 

 Argos doesn't know my postcode - see how it is not specified? Also, you cannot see a link in this one that well but I guarantee you that yes and no buttons don't do anything so you will have to click a link under them, confused that you cannot activate the buttons. Then they will ask you for details to give you the gift card but trust me, you won't be buying anything from Argos's Elizabeth Duke collection. 

Here is another one, note again, two nice juicy links, offering a prize package, all you have to do is confirm your details. 

Added time limit to make you act in a moment in case you lose the deal - this is a known scamming and persuasion technique. 

Good old malware types 

 Lucky, most virus software filters flag these but note how they targeted me on my university email and they made it very relevant - academics are likely to go to conferences.  It asks you to note the date and time in the attachments so in order to check what is going on, you would have to click on it.  

Those preying on your fears 

Here are few examples of phishing emails that will induce panic and fear and make you want to sort out the problem as soon as possible. 

 Of course you did not initiate this download so you will frantically click the link saying cancel and support. They mention initiating a download few times, so you get the message that all you have to do is confirm you did not do it yourself and all will be fine.  Note there is another link lower down and that one will probably lead to a legitimate site - scammers are very good at making everything else look exactly so. 

You won't have time to notice the weird way this email is composed. Why would your account be limited? All you see is something is wrong and things will get worse in 24 hours if you don't click that button. 

I still see advice such as 'hover over a link' to see if it is legitimate but this is now outdated.  Good scammers can fake everything, the link will give you an appearance of going to a legitimate place. Email will seem fine.  Look at this example - is part of the email for my university and this was faked. Previously when people clicked the attachment thinking it came from the university, the virus infected their address book, sending spam and scams to all their contacts - this time from their email. 

The only reason why you would need to click a link in an email is if you subscribed to something that minute and you need to verify email or you requested a password change and you need to follow a link. Any unsolicited emails with links are probably not good news. Scammers cannot get to your details if you don't click links but it helps to understand psychological states the emails are designed to put you in, so you act against your best interests. 
If you are worried about your accounts being compromised, call/log in from another source, never use a link. 

Add me on Twitter for daily advice and stay scam safe.