Is it just us, or is phishing everywhere right now? Banks and insurance companies are telling customers to be wary of scam messages. The Health Service Executive is warning of fake contact tracing calls. The Gardaí and the Irish National Cyber Crime Centre recently alerted small and medium businesses of an increased threat of ransomware attacks. 

Social engineering techniques, such as phishing, target not the systems but the people using them. Phishing and scam emails are – by some distance – the leading cause of ransomware infections, according to Statista. The Verizon Data Breach Investigations Report tells us that 82 per cent of security incidents have a human component. 

So with European Cybersecurity Month here, now’s a good time to familiarise ourselves again with a popular cybercrime tactic. A recent LinkedIn post by Nick McGivney got us thinking about phishing from a different perspective. A copywriter by trade, Nick looked at phishing messages with his professional eye. He argued that they’re effective because of how they combine compelling behavioural economics techniques, crammed into limited space. 

An emotional phish 

As Nick points out, the key is to speak directly to the reader, appeal to their emotion, and engage them to take action as quickly as possible. Ideally, this all happens before they’ve had time to reflect and process whether the message is real or not. 

Don’t get us wrong: we’re not praising cybercriminals for their cleverness. But when you see phishing as a form of behavioural economics, is it any wonder that people fall for it? After all, it’s called social engineering for a reason. Phishing emails or texts are precision crafted to unlock our defences. They bypass rational arguments and appeal to our instincts. They work because they’re literally designed to convince the reader that the message is genuine and urgent. 

Now let’s switch our point of view to a security manager’s. All too often, the knee-jerk reaction after a security breach is to blame the victim: how could they be so naive, or worse, stupid? But how many of us can honestly admit we’ve never once been convinced to buy something we don’t need? Who has avoided the lure of the one-time only, can’t-miss special offer that expires today? It’s the same behavioural economics forces at work. 

To pick some recent common examples, a phishing message might appear to be from your local health authority to inform you of a close contact with a Covid case, or from your bank to warn that your account is frozen, or an ecommerce provider saying there’s a problem with your payment details. 

A message to you

But as the SANS Institute warned recently, attackers are changing their tactics to increase the odds of success. Some have stopped shotgunning thousands of emails to people at random, playing the odds that someone will click the link. Instead of “spray and pray”,  they’re researching their victims and crafting personalised messages that increase the chances of success. 

We’re aware of one Irish organisation that experienced this change in tactics firsthand. Its suppliers recently got emails asking them to verify their information. One giveaway of a scam was that the sender didn’t bother to disguise their email address as the organisation they were impersonating. But there’s a twist: the message contained the genuine supplier ID code for that organisation, along with the recipient’s actual postal address. Seeing your own details in a message would surely make people more likely to click on an infected link. 

Ring of fraud

We’re speculating, but it’s possible this attack may have been the work of a fraud ring. As Jack Alton of NeuroID wrote: “they collect vulnerable PII [personally identifiable information] through breaches, social scanning, phishing emails, and dubious websites. That information is then sold via dark web forums and utilised by individuals and groups to create synthetic identities en masse. These virtual identities are then used to open accounts, purchase merchandise and services, or further distribute malware for other purposes (e.g., spyware, ransomware).”

Other attacker techniques that we’ve observed include:

• Researching people’s social media posts, LinkedIn profiles, or other information that’s either publicly available or on the Dark Web
• Creating messages that appear to come from management, work colleagues, or suppliers the recipient knows and works with
• Referring to a recent conference or trip in an email to appear to come from someone the recipient had met
• Learning about a person’s hobbies and sending them a message pretending to be someone who shares the same interest.

Anyone can be a victim. Over the summer, attackers targeted Christine Lagarde, head of the European Central Bank, by faking a text message to her phone that seemed to come from the former German Chancellor Angela Merkel. (Fortunately, the trick didn’t work.)

The song remains the same

Some of the warning signs of phishing scams have remained the same, as we highlighted in our educational video. But with what we now know about the behavioural economics behind phishing, together with attackers changing up their approach, now is a good time to check your security awareness programme. Is it up to date on teaching people about the latest criminal techniques? Does it take account of how effective some scam messages can be?

Education and awareness are powerful weapons against scammers. One of the most encouraging things about SANS’ recent phishing alert was its closing line. Instead of the stock cybersecurity nonsense of blaming the victim or tut-tutting, it’s a call to arms for everyone. “You are by far the best defence. Use common sense.” 

It’s arguably never been more needed than it is now.