Phishing: What makes people click?
Dr Jules Pagna Disso explains why phishing remains one of the most successful forms of attack, and why staff education is key to tackling the problem.
Dr Jules Pagna Disso, head of R&D, Nettitude
Phishing or spear-phishing attacks remain among the most common and most difficult to prevent for many organisations. The response has often been to increase the sophistication of attack detection techniques, frequently resulting in more heavily locked-down systems. This increased security has resulted in many attacks being blocked, however, even the most robust controls will not necessarily prevent a user from falling victim to a targeted phishing email. Clicking on a malicious link in a moment of distraction is far too easily done, even for the most security savvy individual.
Attackers generally take advantage of a combination of five factors when constructing and distributing phishing emails:
1. Timing: Having spoken to countless employees from various different industries, it is apparent that there is a common misconception that emails from unknown sources can be safely opened at work because the IT team has it all under control. The attitude that security is everyone's responsibility is, unfortunately, not widely adopted in many corporate environments. This vulnerability is further compounded at specific times of year. Seasonal attacks can be very effective as recipients are likely to be expecting to receive particular messages. For instance, our team has recently uncovered a spam campaign against HMRC during the tax return period. In most cases, a message from the tax office is considered to be important and people will therefore be more likely to click. Generally speaking, far too little is done in corporate environments to warn staff about ongoing campaigns such as these. Seasonal themes can relate to publicised internal projects and expansion plans or can tie into national events, from breaking news stories to annual anniversaries or deadlines.
2. Emotional status of the target: Attackers can use social media to gain an understanding of an employee's current social situation; equally, whilst an attacker might not know which employee is currently under negative stress, there is a good chance that at least one will respond differently due to their level of stress when targeted.
3. Tone of the language used in the email: Attackers specifically design emails to cause alarm but to not give away too much information, hoping instead to prompt the recipient to open the message and follow the instructions within. We have recently observed situations in which a user is encouraged to click on a malicious link because the message was presented in such a way as to trigger certain feelings. After analysing several emails, many social aspects of day-to-day life are often used to connect with victims, either by touching on emotive or stressful subjects or by creating a sense of urgency.
4. Social media exposure: Many people expose far too much of their personal and professional lives via social networking sites, to the extent that attackers can easily construct a highly convincing message. Attackers often conduct open source intelligence on their victims to ascertain how best to weaponise their email content. This method is often used by security testers as part of red teaming or social engineering exercises and often proves to be a far easier method of infiltration than purely technical-based attacks.
5. State of mind: Many scientific studies have been conducted on how the brain works. Several relate to controlling the mind to achieve a known goal and the same applies to cyber-attacks, as it has been proven that working conditions that lead to exhaustion and/or anxiety can make employees far more susceptible to an attack.
Technical controls are too heavily relied upon by the majority of organisations. People will always be influenced by external factors and so businesses need to understand that they're unlikely to be able to prevent people from clicking on highly-targeted emails. Instead, they should accept that people are often the weakest link when it comes to security and implement monitoring and logging systems to provide the right levels of situational awareness so that they can react effectively when rather than if incidents occur.
Contributed by Dr Jules Pagna Disso, head of R&D, Nettitude