Psychology of phishing
/Everyone gets phishing emails. For scammers, it is probably the most cost effective way of scamming people. Sometimes phish emails are relatively harmless, but often they can be extremely harmful and trick you into parting with you personal passwords, log in details and bank information. I wanted to collect a few to show you the types of phishing emails and psychology behind them, language they use and how the message will make you feel and want to react.
First of all, the biggest and most important message and one I think every fraud agency should use is that phishing emails will have one fundamental thing in common; something to click, be that a link or an attachment. Clicking anything in an email is bad, even if it came from your friends, as people's email accounts can be easily hacked. What you should look for in that case is whether this is out of character for your friend. If so, don't click it.
Let's examine the most frequent phishing emails and how they persuade. Most phishing emails are designed to evoke visceral states. Visceral states are sexual arousal, hunger, greed, fear and so on. When we are under visceral influence, we are likely to bypass careful information processing and act without proper thinking - because we are acting on that visceral influence. When you are starving, you are likely to eat stuff you would reject otherwise, when you are scared of something, you will do anything to save yourself from danger, when you are attracted to someone, you will do anything to get them... so let's see the language used by phishing emails.
Emails offering refunds work by evoking excitement at a prospect of getting money we didn’t expect.
The offer of free money often puts one in a visceral state of excitement and/or greed and this is precisely what the scammer wants. They want you to get excited at the prospect of free money enough to act straight away. Who doesn't like a tax refund.
Notice this one also have an expiration date, which will further influence you to act in the moment, fearful that you will miss a deadline.
Emails offering free prizes are similar to refunds. They evoke excitement.
Free prizes are difficult to resist. They work by compromising careful thinking because emotions take over. But it pays to pay careful attention to warning signs. Keeping the vague will reach a greater number of people. See how postcode is not specified in this one?
Also, this email does not have a typical ‘link’ button. Instead, clicking on yes and no buttons does nothing - so you have to click a link under them, confused that you cannot activate the buttons. Scams offering free prizes often use other scam techniques, such as limiting time to respond, which will also compromise information processing.
Malware emails tend to work by keeping it relevant
Lucky, most virus software filters flag malware attachments these days but note how they targeted me at my university email and they made it very relevant - academics are likely to go to conferences. The more relevant the email appears, the more likely it is that the scammer will be successful so don’t be surprised to see phishing emails that appear highly believable.
Emails that evoke fear
Emails suggesting your account has been suspended, compromised or hacked will induce panic and fear and make you want to sort out the problem as soon as possible. When we are in a state of fear, careful thinking is compromised and therefore, vital clues missed. If you did not initiate this download, you will frantically click the link saying cancel and support. In a state of panic, as this is all you can think about.
This email mentions initiating a download few times, so you get the message that all you have to do is confirm you did not do it yourself and all will be fine. There is another link lower down and that one will probably lead to a legitimate site - scammers are very good at making everything else look exactly so.
I still see advice such as 'hover over a link' to see if it is legitimate but this is now outdated. Good scammers can fake everything, the link will give you an appearance of going to a legitimate place. Email will seem fine.
The only reason why you would need to click a link in an email is if you subscribed to something that minute and you need to verify email or you requested a password change and you need to follow a link.
Scammers cannot get to your details if you don't click links but it helps to understand psychological states the emails are designed to put you in, so you act against your best interests.
If you are worried about your accounts being compromised, call/log in from another source, never use a link.