Why Do We Take the [Phishing] Bait?

Dimitri Perret

December 10, 2015

3 min


There’s no mortification quite like the feeling one gets after realizing that they have been taken in by a phishing email. It’s just so embarrassing! If you’ve ever been a victim though, you should let yourself off the hook. Phishing scams are surprisingly successful even when targeting victims who are highly technologically sophisticated. 

For the average busy information worker, it may be too much to expect them to spot tiny hints that an email is fake. In some cases, the success of a phishing attack depends upon impersonating a trusted individual. Other times, the success of a phishing attack is the result of simple emotional manipulation.

The Psychology of Phishing Attacks

The main psychological weakness exploited by phishing is our basic need to be kind to people we consider friends. A study at the State University of New York at Buffalo (SUNY Buffalo) showed that students who use Facebook more are at increased risk of sharing their personal information in a phishing attack. The study suggests that people who do more social networking are more likely to click on a link in an email from someone they think is a friend, even if that person has a completely invented identity.

Pop culture can help us understand the phenomenon. In the superb 1987 con-man movie, “House of Games,” screenwriter David Mamet illustrates the effectiveness of the con through a snippet of dialogue between Mike, a confidence man played by Joe Mantegna, and Dr. Margaret Ford, played by Lindsay Crouse. Ford wants to understand how con artists work. He tells her, “It's called a confidence game. Why? Because you give me your confidence? No. Because I give you mine.”

What’s playing out in this classic Mamet scene is Mike’s revelation that cons work through reverse psychology. The confidence man makes the mark feel trusted by first appearing to place his own confidence in the mark. Flattered and feeling befriended, the mark lets down his guard. Then, the confidence man is ready to attack. Phishing works the same way. The SUNY Buffalo study involved sending the student participants a phishing email from a new “friend” who was offering them an internship if they would send back their student ID number and other personal information. Almost all of the participants did so. They felt they were being trusted by a friend.

Don’t dismiss the psychology of phishing. The emotions involved affect everyone. Even the White House got hacked using this technique.

The Implications of a Successful Attack

A successful phishing attack against one of your employees could mean that your entire network eventually becomes compromised or it could “just” mean the loss of more specific IP or data. This can broadly impact:

  • Your Brand. Think of the reputational damage done to Sony after internal communications were leaked showing what Sony executives thought about some of their business partners and stars. Or the distrust customers develop when a retail or health brand is seen as careless with their personal or confidential information.
  • Your Intellectual Property. Criminals, competitors, and state sponsored actors can do incredible damage by exposing trade secrets, designs, or customer data.
  • Direct Financial Penalties or Losses. This could be the result of fines levied by regulatory bodies in reaction to HIPAA or PCI regulated breaches, the cost of providing identity protection or compensation to employees or customers who had their data stolen, or just outright theft if financial controls are compromised.

Preventing an Attack

Understanding the psychology of phishing is a step toward building better awareness and training employees to spot phishing emails. At the same time, it’s essential to be vigilant at a systemic level with effective anti-phishing technology. This is easier said than done.

Standard countermeasures such as anti-spam filters and anti-malware protections don’t work with phishing. Well-crafted phishing emails may not look like spam to software that’s designed to detect junk mail. Anti-virus software won’t do much good, either, because most phishing messages don’t contain any actual malware.

Vade Secure’s anti-phishing solution offers specific anti-phishing protections that can be layered on top of existing anti-spam solutions to provide better overall email protection for your employees. Our proprietary processes spot both one-off spear phishing attacks and mass phishing attacks before they can impact your employees and your bottom line.

Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.