The Psychology of Phishing: When Emails Are Dangerous

28 August, 2020
Have you ever gotten a suspicious email asking you to take urgent action or share personal information? It was probably a case of phishing, a common modern scam.

As technology evolves, everything adapts and changes with it. Criminal activity is no exception. Cybercrime is common and takes on many forms. There’s spyware, adware, worms, Trojan horses, viruses, etc. One of the most common types of cybercrime is phishing, which involves stealing people’s information via email.

Cybercriminals pose as people or businesses and send emails saying that you need to take urgent action and provide certain information. The emails often seem to be from companies that you know or you have an account with, and they might threaten to close your account or charge you if you don’t do what the email says. If you open a malicious file attached to one of these emails or provide certain information (bank information or personal information), they’ll use it to their advantage. Phishing is an effective way to scam a lot of people at once. Experts estimate that there were nine million phishing attacks in 2019.

While these types of scams can be easy to identify, some cybercriminals are skilled at getting people to fall into their trap. They play with people’s basic emotions and psychological processes in such a way that you don’t realize you’re being deceived.

A hacker in a hoodie.

Social ingenuity

Cybercriminals use concepts from sociology and social psychology to design their scams. They usually play on four different human emotions: greed, curiosity, pity, and fear. The combination of these emotions leads people to react almost instinctively.

Therefore, by playing with these four emotions, and being aware of some other social behaviors, phishing attackers have developed different tactics to get people to disclose sensitive information. Next, we’ll describe the three types of behaviors that phishing attackers take advantage of to scam people. Of course, the success of these types of attacks depends on an individual’s personal characteristics and their ability to detect suspicious behavior.

Respect for authority

Humans tend to obey orders or instructions from people that occupy power positions. In other words, we have a cognitive bias that makes us forget (if only for a moment) our own opinions or potential consequences of an action. With fear as the main drive, we hurry to obey the orders of our “superiors”.

Phishing attackers might represent authority by pretending to be the director of a company, an important state-level organization, or a prestigious company. They tend to send emails posing as corporations or large, well-known companies, requesting you do to something that seems relevant to their business. Seeing a company name that you recognize gives you a sense of safety. Thus, you’re more likely to believe that what you’re reading is real.

One example of this kind of scam is an email that claims to be from a tax collection agency, telling you to click on a link in order to get a refund on your taxes. Another example is an email from a company directive asking you to open a file about a “new project”.

A sense of urgency

This manipulation strategy is extremely common, and not just for criminal activity. Marketing firms use it a lot as well. Basically, it involves creating a situation of false urgency that requires the user to make quick decisions and act quickly. When they use this strategy, they often prey on people’s fear of something bad happening if they don’t act.

The subject of the email is designed to set off people’s alarm bells. “Your computer has a virus” or “Someone has tried to access your account” are some examples. Another variation is telling you that you need to be the first to do something. For example, “Only the first 50 people to register will get a prize“. Here, the fear of missing an opportunity can drive you to believe the scam without considering other possibilities.

The goal here is to trigger fear so that you’ll make a hasty and irrational decision. They’re counting on the fact that your rational mind won’t have time to question the suspicious aspects of the email that point to it being a scam. They also tend to include big words and the color red to enhance that sense of urgency and danger. The problem here is that, even if you aren’t quite convinced by the message, you might fall into the trap anyway. That’s because you want to take action just in case it’s actually true.

Automatic actions

Throughout the day, you do a lot of things automatically, without being fully aware of them. They tend to be the result of experience and repetition. You activate your autopilot and don’t pay much attention to what you’re doing. Clicking on a big, red button that says “Click here”, for example, instead of clicking on a smaller box that says “Cancel”.

Phishing attackers use this type of automatic behavior to their advantage. They use it when they ask you to re-send an email that seems like it was never sent, for example. Or include a link that supposedly takes you to a page to cancel your subscription to something or stop getting emails from a company. All of these links, of course, are false.

These strategies are effective and dangerous. They seem innocent and they’re very similar to things we do all the time. Phishing preys on these tendencies and hopes to catch us by leading us to do things we do all the time and, therefore, pay less attention to. Phishing attackers are effective when they can get us to gloss over the details and make decisions without thinking too much.

A keyboard with a phishing key.

How to avoid the trap

Some people are better than others at identifying these scams. But everyone is a potential victim. If you want to avoid being a victim of these kinds of deceptions, it’s important to be aware of the potential dangers. Always read the entire email thoroughly. Give it your full attention. If you don’t know the person sending it, check to see if the email account is real.

The most important thing is to avoid reacting too quickly. Make sure you stop and consider the consequences. Decide if the message makes sense. Decide if you think the company or person it seems to be from would send you this kind of email. Take a moment to think about what the email means and look for suspicious signs. If you do identify a phishing attack, it’s also important to inform the authorities.