The Psychology of Phishing

Email phishing has reigned as the top internet crime since 2019, with over 320,000 victims last year, according to the “FBI’s 2021 Internet Crime Report” [1]. The concept of email phishing is not new; however, the rate of these crimes continues to increase.

To combat this threat, large investments are being made in technical mitigations. However, the underlying problem is human nature. In the technical arena, training activities often focus on what, rather than why. Perhaps helping users understand why they are susceptible to certain phishing solicitation techniques may help reduce the underlying threat.

Reviewing contemporary literature, we find that the psychology of phishing is an area of active research. In this literature, I found a few interesting points:

• User demographics can play an important part as to which types of phishing emails users may be susceptible to, and thus trainings may need to be tailored per demographic [2][3][4]
• Email volume can play a factor into a user’s likelihood of failing a phishing attack [2].
• If phishing emails are rare, a user may have an increased likelihood of failing the phishing attack [3].

With regard to demographics, many papers use Cialdini categories of persuasion to describe the types of phishing emails which users may be more susceptible to [4][5]. These categories, first described in Cialdini’s book Influence: The Psychology of Persuasion, are listed below:

• Scarcity
• Authority
• Commitment
• Liking
• Perceptual contrast
• Reciprocation
• Social proof

Now let’s consider how these persuasion techniques could be used in a phishing attack.

Scarcity could be used to indicate that only a small quantity of a desirable reward exists and that a user needs to act quickly to receive the award. Consider an email that asks a user to respond immediately or they could miss out on a desirable item, such as a free gift.

Authority could be used by falsely claiming to be with a government group and that a nonresponse could result in a penalty. Consider an email which claims to be from the government and the user must respond or be threatened with jail time.

Commitment could be used by claiming that the user had previously made an agreement and they must fulfill their agreement. Consider an email which claims that a user had previously signed up for a service and thus a response is required.

Liking uses an existing favorable relationship. Consider an email which uses the false identity of a known friend to attempt to lower a user’s suspicion.

Perceptual contrast uses multiple messages to make a user more susceptible to a later message. Consider some new event in the news and, subsequently, an email which presents a solution to the news item.

Reciprocation could be seen as a need to fulfill repayment for a good or service received. Consider an email which claims a user needs to do something in repayment.

Social proof takes advantage of a user’s desire to be part of a group or tribe. Consider an email which claims that most people in a group do a certain action.

We each have our own personal biases based on our background and life experiences. Understanding the techniques of influence which an adversary may use can perhaps help us from falling into their phishing traps.