Why employees keep falling for phishing (and the science to help them)
I once received an email from a concerned individual who had contacted me through the email system of a forum for company directors. The emailer told me they had found a fake Facebook page showing me in a less-than-professional light. The fake Facebook page existed (I checked) and it was awful and damning. The person wanted to engage with me to help me “take the page down” (for a fee).
This elaborate phishing scam was put together, playing on potential concerns I might have over embarrassing and unflattering portrayals of my personal life. The scammer played on typical human behavior triggered by shame and embarrassment. They contacted me via a professional body and used my trust in that body to cement their claim. The scam didn't work in my case, but so often, fraudsters turn to human psychology to perpetrate a crime.
For far too long the human in cybersecurity was forgotten. Whenever cybersecurity was discussed, it was about how hackers break into systems using their technical expertise. Whilst this is true to an extent, the underlying pulleys and levers behind cybersecurity incidents, like phishing, are ultimately down to the human in the machine.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
What is it about humans that makes us the perfect vector for cybercrime? Is it our gung-ho attitude to clicking or our “link blindness?” Here are a few ideas of why employees keep falling for the phishing ruse and how cybersecurity training can benefit from the same principles.
It's all the fault of the HCI (human-computer interface)
Fraudsters the world over and across time have used human behavior as a basis for a scam. In the offline world, fraud has always relied on an element of manipulation of a human being at some point. However, when computers entered the frame, the scam potential took off. For computers to be usable by human beings, en masse, the discipline of human-computer interaction (HCI) was invented. Companies such as SRI International, who invented the computer mouse, opened ways of interacting with computers that tied human behavior closely to computer operations. HCI research involved the merger of computer science with cognitive science and human factors (user experience engineering).
HCI was vital in the humanization of computing as it allowed the human operator to have a more natural experience with a computer, allowing for more seamless operation. Since then, the close-knit connection between human operators and the computer has become the open doorway to cybercrime. As the HCI improved, and as UI engineers have taken user experience to a level where interaction with a computer interface became almost automatic, nefarious manipulation of the user only became easier.
Human behavior: What makes us click?
Human beings can learn behaviors, for example, parents teach kids to always wash their hands after going to the bathroom. Using computers means that certain behaviors are learned too. Building better user experiences is an area of computing that relies on designing systems that use natural behaviors or that avoid interactions that need to create new behaviors. The use of computers depends on certain learned behaviors such as clicking on a link to open a web page.
User experience (UX) designers, base user journeys and a UI design on this kind of behavioral conditioning to make the use of technology easier and more intuitive. UX designers use Pavlovian conditioning type exercises to establish patterns of behavior that train users. An example is the use of feedback mechanisms such as changing the color of a button as a positive feedback mechanism.
This is important as many computer tasks are laborious and repetitive. The ingrained nature of the click is behind both the intuitive use of computers and many scams. It is not surprising that UI design must be as seamless as possible. In 2020, 306.4 billion emails were sent and received daily. With so many emails popping into our inbox, automated click behavior is common, making it hard to police every email; employees under time constraints may open an email as knee-jerk behavior to a regular task.
The result of all this careful attention to psychology within UX/UI design is that we have become conditioned when using a computer to the point where we automatically click links or open websites without thinking. This automation of conditioned behavior is a cybercriminal’s dream. Cybercriminals make use of the same psychological conditioning to get that automated click on a link in a phishing email.
By understanding human behavior and what makes us click, fraudsters have taken cyberattacks to new levels of success. But cybersecurity can also use the science of psychology to protect against cyberattacks.
Behavioral science and psychology
In the paper “Leveraging behavioral science to mitigate cybersecurity risk” the researchers focused on two behavioral elements, cognitive load and bias. The paper, published in 2012, was designed to encourage a process to build up knowledge at the intersection of behavioral science and cybersecurity. The researchers stressed that the technologists behind secure systems must “understand the behavioral sciences as they design, develop and use technology.” Since the paper was published, the idea of human factors being central to cybersecurity mitigation has been cemented by the massive increase in the use of social engineering by cybercriminals.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Cognitive load and bias have also been explored in the paper “Encouraging Employee Engagement With Cybersecurity: How to Tackle Cyber Fatigue.” The paper looked at the impact on employees in dealing with overexposure to cybersecurity-related work demands or training. The researchers explored possible explanations, overconfidence and complacency from security training that impacted positive training outcomes. The study teased out two possible sources of cyber fatigue:
- Fatigue source (action or advice)
- Fatigue type (attitudinal and cognitive)
The research created a four-component model allowing an organization to identify the type of cybersecurity fatigue employees experienced and how work processes could be modified to improve cybersecurity behavior.
Behavioral cybersecurity and human-centric cybersecurity
Scams have increasingly included a large element of social engineering during a cyberattack. The increase in Covid-19 related phishing campaigns by 30,000 percent during 2020 is a case in point. Many of these scams played on concerns over the virus and used trusted entities such as the U.S. Centers for Disease Control and Prevention and World Health Organization (WHO) to manipulate the behavior of users by building trust and using fear as a trigger. Human behavior manipulation in all its forms works, as the success of phishing and cyberthreats that use behavior manipulation attest.
Psychology and behavioral science are now firmly recognized as offering scientific principles that can be applied to cybersecurity awareness programs as well as in the design and development of mitigating measures against cyberattacks. By merging these disciplines, a new area of behavioral cybersecurity has emerged. Behavioral science facilitates the mapping of risk to behavior and the understanding of the perception of risk by different types of employees. The result is a human-centric view of cybersecurity in the form of behavioral cybersecurity.
See our previous article “Can your personality indicate how you’ll react to a cyberthreat” for more details of personality types and cybersecurity behavior.
Behavioral cybersecurity and cybersecurity awareness programs
By applying the tenets of psychology to cybersecurity awareness programs an organization can improve and even enhance the training:
Social proof
The principle of social proof in psychology is often used by UI engineers to improve user experience. It is defined as “the influence of other people that leads us to conform to be liked and accepted by them.” This builds on the idea of the propagation of trust across networks of trusted people (or things). Carnegie Mellon’s Human-Computer Interaction Institute performs research into Social Cybersecurity. The institute looks at the applications of social psychology in the adoption of cybersecurity practices, using social proof to “boost awareness, knowledge and motivation to adopt secure behaviors online.”
Cybersecurity fatigue
If trainees become fatigued or disinterested, cybersecurity training will fail. Understanding how different people react to security awareness training can help personalize security training programs and make them more effective. The research paper on “Encouraging Employee Engagement With Cybersecurity” has some ideas for building more tailored and effective cybersecurity training programs based on human behavior.
Design for good security behavior
Design your security training programs around known trigger behaviors exploited by cybercriminals. Trust, conditioned behaviors, and social influence are used by cybercriminals to entrap users and manipulate behavior. These same behaviors can be used as a basis for training users in using good cybersecurity behavior.
See Infosec IQ in action
Empowerment through security education
The scientific evidence is stacking up in favor of using psychology to thwart cyberattacks. An article from the World Economic Forum sums the situation up “By understanding what drives people’s behavior, we can come up with ideas for how to change it.” When looking to design the best security awareness training program, look at how it uses behavior and psychology to create more impactful training and nudge cybersecurity behavior in the right direction.
Sources:
- 75 Years of Innovation: The computer mouse, SRI International
- Pavlovian Conditioning: Using UX Psychology To Train Users, Fyresite
- Leveraging behavioral science to mitigate cyber security risk, Pfleeger, S.L., and Caputo, D.D.
- Email Statistics Report to 2024, Radicati
- Encouraging Employee Engagement With Cybersecurity: How to Tackle Cyber Fatigue, Reeves, A., Delfabbro, P., Calic, D.
- Aronson, E., Wilson, T.D., & Akert, A.M. (2005). Social Psychology (5th ed.). Upper Saddle River, NJ: Prentice Hall
- “Social Cybersecurity,” Carnegie Mellon, Human Computer Interaction Institute
- Why psychology could be the answer to cyber-attacks, World Economic Forum
In this Series
- Why employees keep falling for phishing (and the science to help them)
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
