Have you ever wondered why phishing scams are so successful, even when some seem so obvious? To really understand, we have to dive into the intricacies of human psychology.
The Lure of the Bait
At its core, phishing is like fishing. Instead of baiting a hook with worms to catch fish, scammers bait emails with deceptive messages to “catch” us. And just as fish sometimes swallow the bait without thinking, we humans sometimes click without pausing. But why?
1. Trust in the Familiar
One of the most powerful psychological tools in the scammer’s arsenal is familiarity. When an email appears to come from someone we know, like a colleague, a trusted partner or vendor, or a trusted company, we’re naturally more inclined to think it’s real and aboveboard.
Why it works: Our brain loves shortcuts. Recognizing a familiar name, organization, or brand lets our guard down because our brain assumes it’s safe. It’s like seeing a familiar face in a crowd.
How to avoid it: Always double-check email addresses, especially if the email contains unexpected links or attachments. Just because the name is familiar doesn’t mean it’s genuine. If you don’t routinely exchange emails with the sender, be doubly cautious. A real email address could be email@example.com and a spammer could look believable with firstname.lastname@example.org or something equally deceptive.
2. The Fear Factor
Scammers often use scare tactics. Warnings like “Suspicious activity detected!” or “Your account will be suspended!” or “Immediate action required!” create a sense of urgency that can bypass our logical thinking.
Why it works: Fear and panic can cause us to act impulsively. Our brain’s primary goal is to keep us safe, so it prioritizes immediate action over thoughtful analysis in perceived crises.
How to avoid it: Take a deep breath. Verify the information through another means. If it’s a bank or service provider, call the number on their official website (not the number in the email). If it’s a social media site (Facebook, I’m looking at you), bank on it being a scam, since most social media sites will not reach out to you via email.
3. The Promise of Rewards
On the opposite spectrum of fear, phishers also lure with promises. “You’ve won a prize!” or “Exclusive discount inside!” or “Thank you gift enclosed” are tempting offers.
Why it works: We all love rewards. The dopamine rush from getting a deal or winning something can cloud our judgment, making us overlook red flags.
How to avoid it: Remember, if it sounds too good to be true, it probably is. Genuine companies rarely give away products randomly through emails, and if an email explains that you have to pay a small fee in order to claim a big prize, you can bet it’s a scam.
4. Curiosity Didn’t Only Affect the Cat
“See who viewed your profile!” or “You won’t believe what this celebrity did!” Phishing emails might use intrigue to pique our interest. It’s classic click-bait at its finest, this time in the form of email subject lines.
In a business context, the email subject might be something like “Sad to say goodbye” and a clickable link to view a special farewell message from a departing colleague. Except the colleague isn’t going anywhere, and you’ve just downloaded a keystroke logger which, tomorrow, will capture your login information to your network.
Why it works: Humans are innately curious creatures. We love mysteries and discovering information, even if it’s not particularly relevant to us.
How to avoid it: Resist the urge. If the topic truly interests you, look it up on trusted news sources instead of clicking on a suspicious link. Talk to an allegedly departing colleague, or the person in bookkeeping who is hosting the online “Pampered Candle” party (which isn’t real either).
5. Authority and Obedience
Phishing emails that appear to come from authoritative figures or institutions, like a CEO or the IRS, exploit our natural tendency to obey figures of authority. “Send this ASAP” or “Please read and get me your thoughts before end of day” or “This form needs to be completed” are commands that are tough to ignore.
Why it works: From childhood, we’re conditioned to obey figures of authority. When a “boss” tells us to do something, our instinct is to comply without questioning.
How to avoid it: Question everything. Even if the email seems to come from your boss or a government agency, verify its authenticity through other means before taking action. Likewise, if an email contains ONLY a link with no context, assume it’s a nefarious email until you have evidence to the contrary. And don’t just reply to that email. Send a separate email (or use your internal chat to ask the boss) to verify the email is legit.
Protecting Ourselves in a Digital Age
Understanding the psychology behind phishing is the first step towards protecting ourselves. Knowledge, in this case, truly is power. The next time you receive an email that seems a little off, you’ll be better equipped to recognize the psychological tricks at play.
Moreover, it’s essential to equip ourselves with basic cybersecurity knowledge. Just as we lock our homes to protect against intruders, we should also “lock” our online presence by using strong, unique passwords, enabling two-factor authentication, and being cautious about the links we click and the information we share.
In today’s digital age, where our lives are increasingly online, it’s not just about protecting our devices but understanding the cognitive traps and biases that make us vulnerable. By doing so, we can outsmart the scammers and keep our digital world safe.