The holidays are fast approaching, and with retailers and consumers getting ready for the biggest sales of the year on Black Friday (the 26th of November), cybercriminals, who have been perfecting their social engineering techniques, are also gearing up to wreak havoc.
It’s prime time for scammers, and scams alike, particularly of the phishing kind. Something like 3.4 billion phishing emails are sent out every day and phishing scams account for half of all fraud attacks. According to the Australian Retailers Association and Roy Morgan, Australian’s alone are predicted to spend over $58 billion on pre-Christmas shopping – an increase of around 11% on 2019 pre-pandemic spending. Black Friday sales and Cyber Monday brought in almost $10.8 billion in 2020. These figures combined are staggering and pose a very real warning to consumers and businesses alike to remain extra vigilant when it comes to online shopping and clicking on any links in emails, which could just be phishing attacks designed to steal your credentials for costly criminal activity.
The Psychology of Phishing
At MailGuard, we know all too well the consequences of phishing scams. We intercept thousands of emails every day to protect businesses from the disastrous effects of employees or customers clicking on a link that could have devastating consequences. Identity theft, financial loss, reputational damage, ransomware encryption, and shutting down of your business operations, are just a few of the implications. One-click is all that it takes. The repercussions could last several months or even years after, or in the worst of cases, it can mean the end for a business. Scammers are only getting more sophisticated, with phishing, spear-phishing, and BEC scams escalating over the last few years.
So why is phishing such a phenomenon, and what is the psychology behind it? More importantly, why do we fall for phishing scams? Some important research behind the psychology of phishing from cybersecurity expert, Daniela Oliviera, shared by ted.com, reveals the importance of having a mindset that protects against phishing scams, as well as the physical and technological protections.
“The term “phishing” was first used in 1996 to mean, “a scam by which an internet user is duped into revealing personal or confidential information which the scammer can use illicitly”. Since 1996, it’s safe to say that phishing has exploded in volume and intensity. Phishing scams account for half of all fraud attacks”.
The power of phishing is immense. One wrong click could lead to giving away important financial and personal information, downloading a malicious virus, installing malware, or allowing a foreign nation to steal politically sensitive emails. “Phishing emails are carefully designed by scammers and criminals to manipulate our emotions and tap into our unconscious biases, so humans are practically hardwired to fall for them,” says Daniela Oliviera. We only need to look as far as a recent scam by cybercriminals purporting to be Telstra and threatening to cut off crucial internet and phone services if a bill was not paid on time. It played on the recipients’ need for access to critical services, or fake Netflix account suspension emails, luring in victims to hand over their credit card details or click on a link to supposedly ‘re-activate their membership’. Particularly living in a lockdown, these services are essential for many, and cybercriminals know this.
“Phishing emails use emotional tactics to get us to bypass logic—and click the link. To explain why phishing works, Oliveira turns to Nobel Prize-winning psychologist and economist Daniel Kahneman’s model of two systems of thinking. System 1 is fast, intuitive, and emotional — “ like when you come to a doctor’s appointment and you decide where to sit,” she says. System 2, on the other hand, is slow and deliberate. Because we have to make thousands of decisions per minute, we need System 1, which depends on mental shortcuts to help us move through life efficiently. For instance, we have a truth bias, a belief that others are more likely, to tell the truth than to lie; to assume otherwise would be exhausting. But biases like this can also leave us open to unwise decisions, by, say, making us predisposed to assume that an email that says it’s from our bank updating our password is really from our bank. By appealing to our biases and emotions, phishing tries to get us to stay in automatic mode, aka System 1. Phishers want users to “make a fast, not a thoughtful decision,” explains Oliveira”.
Spotting a Phishing Scam This Black Friday (and always)
So, getting into the holiday season, where emotions generally run high, and when we are bombarded with various promotions, sales, gifting tasks, holiday preparations, and so forth, it’s no surprise that cybercriminals come out to play. However, being armed with knowledge about how phishing scams work and ways you can spot them is crucial and will hopefully help in protecting you from any nasty scams this holiday period, so you can take advantage of those fantastic Black Friday and Cyber Monday specials safely.
Here are some ways to spot a phishing scam this holiday season:
- If the email asks you to confirm personal information, be wary. Scammers have become more sophisticated in mimicking trusted names in their branding to try and lure unsuspecting victims into believing that the email is legitimate. However, if an email makes requests that are not aligned to previous authentic communications from the company or business, it could very well be a phishing attempt.
- A strange-looking web and email address. We see this a lot with the scams that we intercept here at MailGuard, scammers often use the name of the company within the structure of the email or in domain addresses to throw off time-poor and innocent victims who may quickly scan the email. It’s crucial to take the time to examine the email, the email address, and the web address to see if it matches up to the real company address or website.
- Poor grammar and unprofessional language. Although scammers try to throw off recipients by including detailed branding elements, often they forget to fix the language and grammar presented in emails. Remember, most company’s or businesses employ professional writers and have their content checked and reviewed before publishing or sending it out to the wider community.
- Look out for Parcel Delivery Scams. The upsurge of online shopping and the reliance on parcel delivery services such as DHS Express or Australia Post has resulted in nasty parcel delivery scams often claiming that you will need to pay a small fee in order to receive your package or click on a link to confirm delivery of your items.
“So, you’ve shopped securely online and are now eagerly awaiting your goodies! Don’t let your guard down. Cybercriminals send fake parcel delivery notifications to trick you into downloading malware or giving away your personal or financial details” (ACSC).
5. Look out for fake websites promoting attractive sales. Especially around this time of year, hackers are spoofing large retailers, like Amazon, Walmart, and others with a surge of email messages, and texts aiming to secure credit card and personal information. If you receive any emails asking you to update your payment info or submit personal information, this is a warning sign. Be sure to call the company in question to make sure. Most scams of this type are designed to incorporate a legitimate landing page into the mix to trick victims, so be sure to check for spelling mistakes, poor grammar, addressing you with generic terms, warning to take immediate action, promises of refunds, or other freebies and errors in the subject line or body of the email.
Click on this link for more helpful information from the ACSC on online shopping: https://www.cyber.gov.au/online-shopping and stay safe this holiday season!
Prevention is always better than cure, and the best defence is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid being hit by ransomware or other compromises in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
Being hit by a cyber-attack can cause businesses significant financial losses and a hit to their reputation, especially following a tough pandemic-ridden year which resulted in many businesses struggling to keep the lights on. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to complement Microsoft 365. For more information about how MailGuard can help defend your inboxes, contact us here: firstname.lastname@example.org.
Fortify your defences
No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to enhance your Microsoft 365 security stack.
For more information about how MailGuard can help defend your inboxes, reach out to my team at email@example.com.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.