We shared results of a survey today that dove into the phishing knowledge and clicking habits of 4,000 office workers across the U.S., U.K., Australia, and Japan (1,000 per region). What jumped out to me was the psychological tricks and triggers that cybercriminals deploy to entice people to click. That, and the bad habit of nearly a third of respondents who did not change their password after their data had been breached! (Come on guys, you’re better than this.)
To learn more about the psychological aspect, I sat down for a Q&A with Dr. Cleotilde Gonzalez, a Research Professor at the Department of Social and Decision Sciences at Carnegie Mellon University. Her research work focuses on the study of human decision making in dynamic and complex environments and she is an expert on the field of Behavioral Cybersecurity.
Drew: Thanks for taking the time to share additional information with our Community. First up, psychologically, why does urgency work in a phishing email? Why does a note of authority entice us to click?
Cleotilde: The results show that people are very overconfident in their ability to detect a phishing email, when in reality they are very poor at it. The effect of urgency depends on context and familiarity. The context from which an email is coming from matters a lot. For example, if I am expecting to receive a note from my boss, or if it is typical that my boss emails me, then I create higher expectations for that scenario, and this increases my confidence that this is surely not a phishing email.
Spear phishing takes advantage of familiarity and context, meaning that the things that are more familiar to me I tend to trust more. This familiarity increases my expectations that this email, note, text etc. is meant for me and gives me confidence that it is not a phishing attack.
Drew: Makes sense, if we expect something, we are more open to receiving it. What about the scary stat around password hygiene? Nearly half of office workers have had their data compromised, and only 68% of them changed their passwords after their data was compromised. Is there any reason why people wouldn’t change their password after finding out their data was compromised?
Cleotilde: One possibility in this case is a tradeoff, a tradeoff between work (productivity) and security. Security and productivity are always in a continuous tradeoff. People would rather postpone the data backup or antivirus installation in favor of getting work done; work is what gives them the reward. Security doesn’t provide an immediate reward; it isn’t the same tangible reward that work offers.
Drew: Shifting gears, why do you think people are happier, or more inclined, to click on links outside of the workplace?
Cleotilde: What comes to mind initially here is the fact that phishing emails are still rare compared to regular or spam emails. From a psychological perspective, this rareness makes us under weigh the probability of something bad, like getting phished, happening to us. Given that phishing emails are rarer than regular or spam emails, people will under weigh the probability of receiving a phishing email. When something is rare our minds make it even rarer. People tend to think bad things won’t happen to them, so with this mentality they will click more.
Drew: Do you think it’s more likely that people let their guard down outside of work?
Cleotilde: There could be a difference in the way people process emails inside and outside of work. For example, I have my personal email account and my job account. It’s possible that the job account has more protection and therefore I have different expectations of what emails I am observing during my workday. The context in which I am viewing work and personal emails is different, but in reality, a lot of people mix their work and personal emails.
This can be problematic, as it creates expectations within the wrong context, and you could end up clicking where you shouldn’t.
Drew: The next area I want to discuss is alarming for me as well. While individuals claim they can spot a phishing attack, a large percentage don’t recognize the variety of platforms through which phishing can be conducted. Why do you think people are overconfident in their ability to spot a phishing attack?
Cleotilde: In general, overconfidence is a big problem, and not only in phishing. Humans tend to be overconfident in almost everything they do. This comes from how we weigh rare events. The ratio of phishing emails over regular or spam emails is low, and our minds tend to under weigh the probability of something bad happening. If I am under weighing the probability of receiving a phishing email in my mind, then I am over weighing my ability to handle receiving a phishing email. It is the frequency of the type of email that matters, because our minds, especially when we make decisions from experience, store these frequencies of events. Two major cognitive psychological ideas come into play here: the frequency and recency of phishing emails. For example, if you received a phishing email yesterday you are going to be more careful today. Recency is an important variable.
Drew: Is part of the reason people are unable to identify other phishing attack vectors (like phone calls or mail) because we don’t communicate through those channels as much anymore?
Cleotilde: The issue here has to do with base rates. If you count the number of phone calls you receive per day compared to the number of emails you receive per day, they will be significantly lower. It is also possible that people’s awareness around phishing, and knowing how phishing work, comes into play here. The majority of the time, in the media and at work, people talk about phishing through email and not clicking links. It could be that people just know email is the most common way phishing attacks are conducted because it’s talked about the most.
Drew: That makes sense and has certainly been in the headlines this year. The survey also found that half of office workers have clicked on a link in an email from an unknown sender, and 35% admitted to doing it more than once. Any thoughts around why this common knowledge – not to click on anything from an unknown sender – is being ignored?
Cleotilde: This is surprising, since phishing emails commonly play into the familiarity concept. However, if people expect to receive emails from outside their workplace, that would explain why people continue to click. This is all related back to expectations. If a worker is expected to communicate with people outside their organization, they will feel comfortable opening and answering emails from unknown senders. Remember though that an email from an unknown sender is not the only attribute or cue that people look out for when it comes to phishing emails; people also look for if they are asking for private information or if there are typos in the email.
Drew: In your opinion, what makes people take the risk and click?
Cleotilde: Risk and under weighing the probability that something will happen, the rarity of something, are interlinked. For example, say I receive a phishing email, when I click I ‘lose,’ but that doesn’t happen very often, and because it doesn’t happen very often I don’t ‘lose’ much. This makes me a risk taker. If the risk isn’t very significant, I might continue to click and believe that the ‘reward’ might actually come through. The imbalance between the rarer losses and the more common gains is what makes people take more risks. It is like gambling; our minds work in a sampling process. We explore the environment and have various experiences, and the frequency and value of these experiences, the gains and losses, creates a balance of expectations that will produce different risk-taking or risk-averse situations.
Thanks for the additional insight, Cleotilde.
To learn more or read the full report, visit Webroot.com/click