Phishing attacks have continued to be among the most widely used and persistent methods of cyberattack in an increasingly digitized workplace. Even with ongoing education programs on phishing, advanced filtering systems for email and access to technology (hard and soft), organizations have yet to eliminate or significantly reduce the risks of employee phishing attacks.
So why does this still happen? Why do individuals continue to click on phishing emails with full awareness of the potential risks? The answer to this question involves not technological change but rather human behavior and the ways in which cybercriminals manipulate human emotions and cognitive biases to succeed in carrying out a phishing attack.
Cybercriminals do not just target system weaknesses; they target human beings and their behaviors as well. Phishing attacks use strong emotional and instinctual appeal to manipulate their victims by clicking on links contained within phishing emails. In general, employees are the victims of phishing attacks primarily because they do not lack the ability to reason, but rather because they can be targeted with messaging that circumvents their rational thought process and triggers their instinctual impulses.
Phishing email attacks are so successful because they appeal to some of our most basic emotions; fear can be the strongest motivator for an attack. By using threats of account suspension, financial loss, or security breaches, the attacker creates a sense of urgency in the target's mind. Curiosity also plays an important role in phishing emails, as the subject lines typically encourage users to open attachments or click links to "see more." Trust is a significant factor, as phishing emails often mimic the name of an individual (e.g., your boss), the name of your company (e.g., Microsoft), or a popular brand name (e.g., your bank), which makes the email appear legitimate. Each of these emotional motivations can cause a person's behavior to be influenced in such a way that they take action in response to the phishing email (e.g., receiving rewards, bonuses, or exclusive offers).
When trying to process information quickly, employees will often rely on mental shortcuts; thus, they will be vulnerable to attackers using these types of shortcuts to carry out their attacks. Specifically, in terms of mental shortcuts, the following features of how a person processes information will be exploited:
In today’s workplaces, speed and efficiency are essential. Employees are typically expected to quickly respond to email correspondence, handle several high-priority items at once, and meet aggressive deadlines; all this limits the time available for thoughtfully evaluating emails and increases the chances of an error occurring. Additionally, poorly designed security training or the lack of reinforcement for well-trained employees enhances the chances of employees falling for phishing attempts.
Phishing attempts are now no longer based on poorly written messages with obvious red flags. Today’s attackers utilize advanced techniques such as personalized spear phishing, AI-generated messages, and deepfake impersonation. These different attack methods allow attackers to create very convincing messages tailored to specific individuals or organizations, making it much more difficult to detect than previously. As the nature of the phishing attack continues to develop, traditional security awareness programs alone will not be sufficient to protect against this growing threat.
To effectively address phishing, organizations need to take a human-centered approach to security rather than just provide basic training. They should have ongoing, engaging awareness programs; provide real-life phishing simulation; create an environment in which people feel safe reporting phishing attempts because of lack of privacy risk. Security should become part of the day-to-day workflow and not simply a one-time training session.
Additionally, by putting in place layered security controls - like multi-factor authentication, email security solutions and behavioral analytics - organizations can have significant reductions in the severity of impacts caused by successful phishing attacks. A combined effort of human awareness and technological defenses produces a stronger and more resilient security posture.
When phishing attacks are successful, they are not typically due to the negligence of employees; rather, they occur because attackers understand the psychology of humans better than most organizations anticipate. Addressing the psychology of user behavior, along with increasing awareness through education and providing technology that reinforces security, will reduce the business' exposure to risk.
Ancrew Global Services provides advanced cybersecurity solutions that assist organizations in building the human defense layer, detecting phishing attacks in real-time, and developing resilient security strategies against continuously changing social engineering threats.