Understanding the science behind Phishing attacks, and how to prevent them

Fight the Phish… and the Lizard

Social engineering continues to be one of the most common cyber-attack strategies. Phishing, a form of social engineering attack, was the most common type of cybercrime in 2020, according to the Federal Bureau of Investigation. Scammers cast a wide net with phishing attempts designed to entice recipients to click on malicious links or attachments.

A recent Wall Street Journal article said that our cognitive biases are the biggest cybersecurity threat. Cybercriminals “take advantage of the unconscious processes that we all use to make decision making more efficient” – known as the “lizard brain”, it is the most primitive part of the brain that controls unconscious practices.

People tend to perceive information based on their own experiences and preferences leading to cognitive biases. Our minds use these biases to act quickly and automatically often without considering the ramifications. Social engineering scams capitalize on these biases and rely on humans naturally invoking mental shortcuts to reflexively click. Here is a list of examples:

Cognitive Biases and Social Engineering

• Loss aversion: more likely to click on a phishing link if it claims that a service is purportedly being disconnected versus a similar offer to pay a lower monthly fee.
• Authority bias: impersonating a person of authority or an executive to collect information.
• Urgency bias: conveying a sense of urgency such as a link that will expire after 24 hours.
• Halo effect: spoofing a website or an email address of a well-respected organization, brand, or person.
• Present bias: instant gratification such as a clickable link to a pre-release of a new gaming app.
• Availability bias: holding false beliefs or making judgments on what we’ve most recently experienced or seen, say on a social media channel.
• Optimism bias: thinking that you’re too smart to get scammed.

Phishing continues to be the top method used to breach a network. There are many types of phishing attacks listed below.

• Spear Phishing: targets a recipient and includes personal or professional details to boost credibility.
• Angler Phishing: the practice of masquerading as a customer service account on social media with the intention of reaching a disgruntled customer.
• Whaling: a highly targeted phishing attack on someone in a powerful position.
• Business Email Compromise: cybercriminals impersonate company executives to trick employees into sending confidential information or wire transfers to bank accounts.
• SMiShing: the process of sending a text message requesting sensitive information or including a malicious link.
• Vishing: fraudulent phone call or voice mail message from an allegedly reputable organization with the intent of obtaining personal information.
• Consent Phishing: intended to trick people into granting a malicious app access to sensitive data stored in the cloud.
• Visually Deceptive Phishing: “homograph” or “homoglyph” attacks using visually similar characters to spoof legitimate websites or email addresses.

Security Smart Resources for Everyone

There are many free online resources available that offer ways to practice good cyber hygiene. Click on the highlighted links below to access resources. 

• Stay Safe Online: downloadable tip sheets, videos, and other resources to protect yourself and your family including: Security Tips for K-12 for Students and Parents and Security Tips for Higher Education
• Stop. Think. Connect: national public awareness campaign for all ages aimed at increasing the understanding of cyber threats.
• Savvy Cyber Kids: to help parents and teachers educate children about cyber safety, ethics, and other aspects of their daily tech lives.
• I Am Cyber Safe: making the cyber world a safer place with tools and information about cyber bullying, safe shopping, social media, gaming, and more.
•  Cyber Safety for Young Americans: a fun and informative program that promotes cyber citizenship and focuses on the essentials of online security for students in third to eighth grades.
•  Be Cyber Smart: designed to inspire the younger generation of Americans to learn the basics and take responsibility for their own cyber safety.
• CyberPatriot: initially created as a national youth education program to inspire K-12 students, it has grown to include initiatives to protect senior citizens and encourage volunteerism:
  CyberGenerations: to educate senior citizens who are often the targets of scammers.
  Tech Caregivers: to encourage cyber savvy volunteers to give back to the senior citizens in their communities. The training course document is a good tool to aid in starting conversations with friends and family.
•  SANS Cyber Aces: online courses to strengthen existing knowledge for interested newcomers including high school students.
• CyberStart America: immersive training game for high school students.