Specialty Blog Home 9 Technology 9 Cybersecurity 9 Understanding the science behind Phishing attacks, and how to prevent them

Understanding the science behind Phishing attacks, and how to prevent them

by | Oct 22, 2021 | Cybersecurity, Safety Tips, Technology, Technology Insurance

Fight the Phish… and the Lizard

Social engineering continues to be one of the most common cyber-attack strategies. Phishing, a form of social engineering attack, was the most common type of cybercrime in 2020, according to the Federal Bureau of Investigation. Scammers cast a wide net with phishing attempts designed to entice recipients to click on malicious links or attachments.

A recent Wall Street Journal article said that our cognitive biases are the biggest cybersecurity threat. Cybercriminals “take advantage of the unconscious processes that we all use to make decision making more efficient” – known as the “lizard brain”, it is the most primitive part of the brain that controls unconscious practices.

People tend to perceive information based on their own experiences and preferences leading to cognitive biases. Our minds use these biases to act quickly and automatically often without considering the ramifications. Social engineering scams capitalize on these biases and rely on humans naturally invoking mental shortcuts to reflexively click. Here is a list of examples:

Cognitive Biases and Social Engineering

  • Loss aversion: more likely to click on a phishing link if it claims that a service is purportedly being disconnected versus a similar offer to pay a lower monthly fee.
  • Authority bias: impersonating a person of authority or an executive to collect information.
  • Urgency bias: conveying a sense of urgency such as a link that will expire after 24 hours.
  • Halo effect: spoofing a website or an email address of a well-respected organization, brand, or person.
  • Present bias: instant gratification such as a clickable link to a pre-release of a new gaming app.
  • Availability bias: holding false beliefs or making judgments on what we’ve most recently experienced or seen, say on a social media channel.
  • Optimism bias: thinking that you’re too smart to get scammed.

Phishing continues to be the top method used to breach a network. There are many types of phishing attacks listed below.

  • Spear Phishing: targets a recipient and includes personal or professional details to boost credibility.
  • Angler Phishing: the practice of masquerading as a customer service account on social media with the intention of reaching a disgruntled customer.
  • Whaling: a highly targeted phishing attack on someone in a powerful position.
  • Business Email Compromise: cybercriminals impersonate company executives to trick employees into sending confidential information or wire transfers to bank accounts.
  • SMiShing: the process of sending a text message requesting sensitive information or including a malicious link.
  • Vishing: fraudulent phone call or voice mail message from an allegedly reputable organization with the intent of obtaining personal information.
  • Consent Phishing: intended to trick people into granting a malicious app access to sensitive data stored in the cloud.
  • Visually Deceptive Phishing: “homograph” or “homoglyph” attacks using visually similar characters to spoof legitimate websites or email addresses.
Security Smart Resources for Everyone

There are many free online resources available that offer ways to practice good cyber hygiene. Click on the highlighted links below to access resources. 

About Technology

We are technology and risk management experts sharing insights to hopefully spur conversations.