The psychology behind why we fall for phishing scams

We all like to think we would recognise a phishing email when we see one: poorly formatted messages, riddled with grammatical errors and spelling mistakes.

The truth is, phishing emails are designed to catch your employees off guard – when they are tired, busy or just a little less focused than normal – just enough to click on something they shouldn’t.

One tiny mistake from a distracted employee could put your local network or company in jeopardy.

Not only the technologically illiterate

New research suggests that it isn’t just the technologically illiterate who fall for phishing scams. It seems that the more you use Facebook, the more likely you are to click on a bad link.

According to Microsoft, phishing scams cost the world as much as USD$5bn a year, and unsolicited emails in the UK are said to be three times more likely to contain a malicious link than in the US.

Facebook users the most susceptible

A survey of 150 students conducted by a team of scientists at SUNY Buffalo found that individuals who used Facebook more than their peers were more likely to fall for phishing scams and give away their personal information. The results showed that most of the 150 students fell for the bait, even if the phishing scam was peppered with poor grammar and bad sentence constructions. The researchers say the reason for this willingness to click on links stems from an inherent complacency and a desire to please.

“Perhaps being connected to a large number of people makes it difficult to discern a friend from a stranger; or frequently interacting with the platform makes individuals more likely to overlook the nuances in the message that might reveal deception,” the authors of the research findings write.

Marketing tricks: urgency and subject lines

The research also revealed that people are more likely to fall for a scam if the message is urgent. If the fraudsters did their homework and were able to compile effective email subject lines, they were even more successful.  Worryingly, the most widely used subject line in phishing scams now involve ‘invitations to connect on LinkedIn’.  Fake LinkedIn invitations are said to be the most effective, achieving a successful click at four times the rate of any other type of email trick.

The implausibility factor

Scammers rely on the implausibility factor to make the scams work.  If they were to create a more legitimate-sounding email, their response rate would be much higher, but more people would cotton on quicker.  By deliberately compiling emails littered with errors, they are guaranteed to filter out the more educated and hook the most gullible of their potential target group, ensuring a higher rate of success. In this way, the attackers can quickly identify and target the naïve.

Phishing emails are designed to persuade you to click a link or submit personal information. Ensure your employees understand that they should be wary of divulging any information based on an email, and that they should never click a URL straight from an email.

IT Governance’s Information Security Staff Awareness E-learning Course will help your employees gain a better understanding of information security risks and compliance requirements in line with ISO 27001, thereby reducing your organisation’s exposure to security threats.

Cyber Essentials is a government-backed and industry-supported scheme to guide businesses in protecting themselves against cyber threats. For as little as £300, you can apply for Cyber Essentials certification through IT Governance.


  1. billy 24th February 2015
    • Julia Dutton 24th February 2015
      • Alex 24th February 2015
        • billy 24th February 2015
          • fwintle 24th February 2015
  2. MAC 25th February 2015