Phishing from the Victim's Perspective

Delores was in the middle of another busy day. Being understaffed, the people at the nonprofit where she worked were constantly overwhelmed. She got her start with the agency when her friend (now her boss) hired her on. Being friends, Delores and her boss often asked each other for favors. Shortly before Christmas of last year, Delores received an email from her boss asking for one of those favors. Here’s what followed:

Boss: “Are you busy?”

Delores: “No”

Boss: “Can you do me a favor?”

Delores: “Sure, what’s up?”

Boss: “I lost my purse with my phone in it. I’m borrowing a friend’s phone; can you text me at this number: xxx-xxx-xxxx?”

Delores texted the number.

Friend’s Phone: “I’m in a real bind, I need to get gift cards for all of the other team members to give out as prizes for the holiday party. I lost my purse with everything in it and can’t buy them. I need to get them today so that we will have them in time for the party. Can you help me out?”

Delores: Although this was an unusual request, Delores was happy that she was able to help her friend. After a few hours she purchased $1,600 worth of iTunes gift cards online and forwarded them to her boss. 

Friend’s Phone: “Please keep this a secret, it is a surprise for the holiday party.”

The real surprise came when Delores realized that it was not her boss that she had purchased the cards for. The recent shift to work-from-home has led to a boom of online social engineering attacks.[1] I have interviewed multitudes of victims to understand how and why people fall prey to these scams. This is how I came to meet Delores (not her real name).

Her interview helped me gain a better perspective on scams from the victim’s point of view. What would’ve been “red flags” to me made sense in Delores’ context.

When I give presentations to security professionals, I frequently observe chuckles or comments about the naïveté of victims. But after years of research in this field, I have come to believe that context shapes susceptibility.

Top-Down vs. Bottom-Up Cognitive Processing

Human cognitive processing works in two “directions”: from the “bottom-up,” as in observing information from the environment and making inferences, and from the “top-down,” as when we have an expectation and fill in the gaps. While “seeing is believing,” the opposite — “believing is seeing” — is also often true.

An easy way to experience this for yourself is to look at ambiguous figures. If you look at a site like this one, you will see that figures appear to be one thing or another. But if you are told ahead of time what to expect to see, then you will be more likely see that form. This may cause people to miss cues even when they look directly at them.

A fantastic example was demonstrated when people were instructed to watch a video of a basketball game and count the number of passes between players. Unbeknown to the observers, a person in a gorilla costume obviously walks through the middle of the scene during the video.[2] Most observers do not “see” the person in the gorilla costume even when they look directly at them, as verified by eye tracking studies.[3]

The Consequences of Not Clicking

A study by the National Institute of Standards and Technology found that people were more likely to click on the links within phishing emails when the premise of the email aligned with the person’s job role or expectations for an email. This might not be surprising. But what was startling was how often these same people noticed cues in the email such as a mismatched hyperlink or misspelling that they questioned, but then justified because the email fit with their expectations.

This study also found that people who clicked on hyperlinks in phishing emails did so because they were concerned about the consequences of not clicking on the link.[4] How many employees in your organization have been reprimanded for failing to follow up on a legitimate email?

The most convincing phishing email I have encountered used the premise of a late warning for a missed training deadline. The email displayed the company logo, used proper grammar and included the threat of notifying the employee’s supervisor if the training was not completed immediately. Unfortunately, these tactics leverage our cognitive processes against us, and there is little we can do to change that. But this does not mean that all is lost.

The Bottom Line

Here are three points to keep in mind when educating users about phishing threats:

• Understand that users who fall for phish likely encountered a situation that closely aligned with their expectations or beliefs. If circumstances were slightly different, they may not have fallen prey to the scammer.
• While awareness is a necessary first step, by itself it is not enough. People need to develop safe email habits. Among paramedics there is an adage, “Which patient has a contagious disease? All of them.” Paramedics treat every patient as potentially contagious. Building consistently safe email habits is critical, even for handling personal emails. The “repeat clickers” I have interviewed can cite the correct security policies but fail to behave accordingly. They have poor habits, not a lack of knowledge.
• Finally, think about how policies might work against security. With the training email example, an employee who suffers serious consequences for failing to complete training is more vulnerable than one who has less to lose. Ask yourself how attackers might leverage well-intentioned policies to their benefit.

[1] “820% jump in e-gift card bot attacks since COVID-19 lockdowns began,” TechRepublic

[2] “The Invisible Gorilla,” Christopher Chabris and Daniel Simons

[3] “The Invisible Gorilla Strikes Again,” Trafton Drew, Melissa L. H. Vo and Jeremy M. Wolfe

[4] “User Context: An Explanatory Variable in Phishing Susceptibility,” Kristen K. Greene, Michelle P. Steves, Mary F. Theofanos, Jennifer Kostick