The Human Factor in Email Phishing

Updated: Oct 15, 2021

Email phishing is a multimillion-dollar criminal enterprise, which plagues the business world. Criminals behind these campaigns design phishing emails which trick people using social engineering and various psychological techniques.

The term ‘email phishing’ uses the analogy of an angler who puts bait onto a hook and casts his line into sea hoping to lure a random fish to take the bait, and the cybercriminal who has created a fraudulent email, hoping to lure the recipient into opening the email, and taking action. The criminal hopes to illicit one or more of the following actions from the recipient, when they encounter the phishing email:

i) Divulge personally identifiable information such as bank account details, dates of birth or password credentials.

ii) Encouraging them to click on a malicious link which takes the user to a website hosting malware, which then infects their computer

iii) Opening a malicious attachment, which installs malware onto the victim’s computer.

The motivations for behind phishing are not new, in fact they have been there since the dawn of man. Certain elements in society have always tried to steal money, extort people or divert funds. Traditionally this has been by exploiting analogue processes and procedures, such as posting scams to your door. However, as technology has changed the way live our lives and do business, criminality has also mirrored this evolution. The mainstream use of the internet now means that international offenders can target victims in the United Kingdom with ease, across devices, platforms, at home or at work.

What is phishing, spear phishing and whaling?

Phishing emails can be placed into three different categories, depending upon who the intended recipient is.

Untargeted phishing emails which are sent on mass to as many individuals as possible, can be classified as phishing emails. The attacker creates a generic email without any specific target in mind. It could just be the email, which is simply titled ‘invoice’ and contains a Microsoft word attachment also named ‘invoice’.

Spear Phishing as the name suggests is a more targeted fraudulent email. The attacker may have completed online research to acquire as much information as possible about the intended target. Then uses this information to create a bespoke email which looks more convincing and is more likely to be opened. Only recently I spoke with wedding venue in the North East, who claimed that their emails had been hacked. I asked for more information and it transpired that brides, who had booked weddings with them, had received emails which looked like they were from the venue, asking for new payments into a new bank account. Without actually seeing said emails, it’s impossible to definitively say how this has happened, but I suspect the venues emails have not been hacked at all. It’s a safe bet that the person behind the emails had been browsing social media, seen some posts from brides to be, saying save the date, just booked a wedding at this venue etc, the attacker then does some more work to find the brides email address, then goes to the venue website, finds the events booking email address, and spoofs the email, and hey presto we have an email which looks like it’s come from the venue, it’s that easy.

Whaling the attacker is targeting the biggest most influential fish in an organisation. This tends to be the CEO or equivalent, and again the attacker will have completed online research to determine who the CEO is, crafting a bespoke email intended for that individual only. The motivation for targeting the ‘big fish’ tends to be that they will hold the most influence over an organisation. If you can compromise the CEO the attacker can then leverage their influence and authority for malicious means.

How does the attacker manipulate and trick phishing victims?

Irrespective of the classification of the phishing email, the attacker will attempt to influence the recipient into completing an action or divulging information. This influence is commonly known as social engineering and is often described as were psychology meets information security. Research by academics in this area state that the attacker uses various psychological techniques to manipulate the recipient such as:

Authority, the email claims to come from an institution or individual that represent authority figures. There are numerous examples of brands being abused by criminals when crafting phishing emails, including Microsoft, Apple and HMRC.

Urgency, the receiver has a limited time to respond.

Reciprocity, looks to leverage a favour from the recipient.

Social Proof, suggests other people have responded to the email.

Reward, the receiver will receive an award if they respond.

Loss, the receiver will suffer some form of loss if they fail to respond or act, eg closure of an account.

Scarcity, suggests that an offer or opportunity is limited in some way.

Vulnerability to phishing emails

There are many individual factors which can influence susceptibility, some people have more of a propensity to trust others. Whilst people are under time pressure / stress and are overloaded with information, their ability to spot malicious communications can also decrease. Right now, with all the uncertainty surrounding the coronavirus we have a potential perfect storm of vulnerability to phishing emails.

What can we do to combat this threat?

The National Cyber Security Centre (NCSC) has some great guidance for all sizes of organisation, ranging from technical controls, to ideas of how to increase your employee’s awareness of phishing In addition to implementing NCSC guidance you could also consider the NEBRC’s curious frank services; were you can get some of our ethical hackers to implement a series of ‘test’ phishing emails in your organisation and measure the click rate. It’s really important that you follow these tests up with guidance and support where needed. Our ethical hackers can also help you deliver this, with further bespoke training to the individuals who have fallen foul of the test emails. It’s critical that this training is delivered in a positive way, and that employees don’t feel there are being singled out or punished, and our ethical hackers can do just that. Empowering your employee to feel more confident with tackling phishing emails whether they be at home or in the workplace.

Martin Wilson, Head of Cyber and Innovation at the NEBRC.