Why do phishing attacks work? Blame the humans, not the technology

Cyber criminals know that people want to take the easiest route to resolving an issue - and phishing emails are designed to take advantage of that.
Written by Danny Palmer, Senior Writer

Phishing attacks remain a huge problem and crooks are spending a lot of time and effort to ensure that, for the potential victim, clicking on a bad link is the most intuitive and easiest thing to do.

A common technique used in emails sent by cyber criminals attempting phishing attacks is to claim that the victim needs to click a link or download an attachment as a matter of urgency.

This could claim to be anything from important corporate documents in an enterprise environment, to a parcel delivery notification, winning a prize, or even a phony threat about court summons.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 

The messages are designed so that clicking on the phishing link is the easiest thing to do, with the aim of directing the user to a page designed to steal login credentials or other personal information.

Crooks will design these phishing pages to look almost indistinguishable from the real one they're mimicking, which is all part of a plan to make the operation as smooth as possible – with no reason for the user to question if anything is wrong.

"Part of the problem is that phishing signals are often indistinguishable from positive user experience attributes," Troy Hunt, creator of HaveIBeenPwned and digital advisor to Nord Security told ZDNet Security Update.

"It's easy when you've got a link, because you just click on it and you go straight to the right place and it deep links you through to that potentially fraudulent transaction," he added.

For example, if a user had concerns that a link claiming to be from their bank could be a phishing email, they could choose not to follow the link, but instead open a new window and go to the bank's website to check to see if there really was a message from their account.

By doing this, they avoid the potentially dangerous phishing link. But phishing attacks remain successful because people are still coerced into clicking links.

SEE: Ransomware: Why we're now facing a perfect storm

That's despite a recent privacy survey by NordVPN, which suggests that while people say they know how to stay safe online, they'll still fall victim to phishing and other cyberattacks – because cyber criminals are highly capable at using social engineering to coerce victims into doing what they want.

"Humans are ultimately fallible. Unfortunately it's the organic matter behind the keyboard that is often the vulnerable part of the loop," said Hunt.

"We need to have that balance of the education and the training, with the technology to back it up and help us out when things do go wrong," he added.

Organisations can offer training to staff in order to help them identify phishing attacks, while encouraging the use of tools like multi-factor authentication and password managers can also help keep people protected from phishing attacks.


Editorial standards