The psychology of the click: Why are so many employees falling for phishing attacks?

Opinion by Paul Barnes

People are often confident that they can spot phishing emails, but fail to realise that attempts are only becoming more advanced and specific, tailored to your inbox, and quite often from a legitimate email.

When IT managers consider their vulnerabilities, they will typically think about coding errors or weak spots in a network. However, the most prevalent vulnerability is a constant one – human error. It is this weakness that is most commonly relied upon by attackers who deploy phishing attacks. Phishing occurs when an attacker masquerades as a trusted entity and dupes a victim into opening a malicious attachment or link.

Cyber-security awareness training is often leveraged to counter this, but there is no guaranteed way of protecting from this vulnerability. Psychology plays a significant role in how humans interact with each other in person, and the same is true online. 

Psychological factors

New research has found that 61 percent of UK office workers would open an email appearing to be from their boss first, followed by a message from a family or friend at 54 percent. Analysing the psychological factors impacting an individual’s decision to click on a phishing email, the research found that a sense of urgency, combined with a familiar context, is a strong incentive for employees to open potentially malicious correspondence. 

Phishing is the most popular method of cyber-attack in the UK, and research has found that over three-quarters (77 percent) of office workers reported receiving a phishing email at work. However, following an attack, cyber-security processes fall apart as 40 percent  do not bother changing their passwords.

From a psychological perspective, Cleotilde  Gonzalez, Ph.D., research professor, Carnegie Mellon University, argues that the way we make decisions is based on perceived risk and potential reward. "For employees, they perceive phishing to be an uncommon event, so they mentally decrease the likelihood of this occurring. When faced with an email from the boss, the perceived risk associated with not responding feels more immediate. Employees can visualise the potential personal effect and this spurs them to take an action. In this case, the risk that the sender may not be legitimate is outweighed by the risk of getting into trouble and losing face."

Misplaced confidence in spotting threats

A lack of cyber-security awareness extends to other tactics that can be used in a phishing attack. People are often confident that they can spot phishing emails, but fail to realise that attempts are only becoming more advanced and specific, tailored to your inbox, and quite often from a legitimate email. While the majority of employees (89 percent) felt confident in identifying malicious emails, only half correctly identified phone calls as vulnerable to phishing attacks.

Most security-savvy internet users already mistrust emails from people they don’t know. Unfortunately, it is now time to apply suspicion to trusted senders too. Attackers commonly try to spoof email addresses to look like those you’re familiar with and may even gain control of an email account belonging to a person familiar to you such as a boss or trusted vendor. Always err on the side of caution when it comes to emails asking you to download attachments.

Despite new communication and collaboration tools, UK employees are still facing an uphill battle when it comes to controlling email inboxes, something that cyber-criminals are more than happy to take advantage of. UK office workers receive an average of 62 emails every work day, providing attackers with dozens of opportunities to trick employees with malicious links, leaving sensitive enterprise data ripe for the taking.

Organisations must implement regular simulated phishing attacks that address the various ways hackers attempt to breach businesses through their employees. A layered security approach that includes consistent training is essential. Armed with this approach, IT Security departments can tackle the people, process and technology needed to successfully mitigate attacks. Phishing attacks will only become more convincing with time. This means organisations must ensure that they are educating staff on new campaigns and applying the appropriate security software to mitigate threats. Remaining vigilant and paying attention to who the sender of unexpected emails is, will always make you that much safer.

Contributed by Paul Barnes, VP Product Strategy & UX, Webroot. Also see research report on Why Phishing Attacks Work.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews