The psychology behind phishing attacks

Phishing is what is known as a social engineering attack, which is the act of psychologically manipulating people into performing actions or divulging confidential information for malicious purposes. They rely on the person’s natural instincts in order to get a response and take advantage of them.

This definition emphasises that phishing campaigns are all about human behaviour and psychology. They require only limited technical skills because their success depends on how well cyber criminals understand human nature to anticipate how people are likely to behave and react to the bait.

They take advantage of people’s vulnerability

Cyber criminals know well how to maximise the success of a phishing email:

  • They send it when people are more vulnerable and stressed – late in the afternoon, on Fridays or at the end of the month, for instance.
  • They spoof C-suite managers’ email addresses to make sure low-level staff do as requested without arousing suspicion.
  • They take advantage of real-life events, like tax return deadlines, etc.
  • They use fear tactics and urge the recipient to act promptly.

Anyone is a target

Depending on the target, phishing attacks might fall into the spear-phishing or whaling subcategories. Spear-phishing campaigns target a specific group of people – that might include your company, a department, etc.; whaling attacks – or business email compromise (CEC) –target C-suite managers or spoof top managers’ email addresses to fool low-level staff. From the CEO to the administrators, everyone in your company could be a target – it all depends on the data and information they have access to.

How vulnerable is your staff?

If you want to assess how vulnerable your staff is to phishing attacks, put yourself in the cyber criminal’s shoes: get ethical hackers to perform a phishing simulation and test your staff’s resistance to such attacks. Run by Certified Ethical Hackers, the Simulated Phishing Attack will simulate a spear-phishing attack based on the latest threat vectors and your requirements.

More than half of employees didn’t recognise the bait

54% of employees we have tested failed to recognise the scam, which highlights just how easy it is for cyber criminals to get a foothold. If you can’t trust half your company to think before they click, you had best prepare for the fallout. Consequently, they represent a vulnerability that must be fixed. The most convenient and time-saving solution is the Phishing Staff Awareness E-learning course. Delivered online, it teaches the basics of phishing, what it is and how it works, tips about how to recognise a scam, and best security practices, and includes a final exam to assess comprehension.

How can you be sure your vulnerabilities have been fixed? Run a follow-up attack simulation to assess improvements.

Put yourself in the cyber criminal’s shoes: test your staff’s vulnerability to phishing attacks >>