The human behavior side of cyber security is nearly always more complex than the technical side. How do attackers use the art of persuasion to manipulate us and access our information? They know how to exploit our natural tendencies. Be aware online–you may be responding to a phisher’s bait.
Authority: We naturally accept psychological power wielded by authority. As such, if someone poses as an authority figure, like an FBI agent or supervisor, we are more likely to ignore obvious inconsistencies and give up sensitive information.
Likability: Psychologically, we prefer to say yes to requests from someone we know and like. Attackers develop likeable and appealing online presences, or in some cases, will recruit attractive or charming people who have sizable social networks to help them phish for information.
Reciprocity: People feel compelled to reciprocate a gift or favor. If we are given something online for free, we may feel obligated to trade personal information. For example, a contact may offer monetary rewards, and ask for sensitive or proprietary information under the guise of a study.
Social Proof: Once people determine what is correct, the principle of social proof applies to the way we decide how we should behave. If someone puts significant effort into maintaining a presence on social media websites, they expect others to have done the same. That leads to an increased trust of forged profiles developed by attackers.
ITS continues to simulate phishing attacks and will assign training to individuals who are routinely susceptible to these simulations. If you’re concerned that you’ve been the target of phishing, see Reporting a Phishing Message (How-to).
—Peter Lundstedt, ITS