There’s no doubt that 2020 has been an unusual year. The global pandemic has provided an ideal environment for cyber-criminals to seek out new victims. According to a report from Forcepoint, the last week of March saw a 358% increase in phishing emails with malicious links related to COVID-19 or Coronavirus. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert in early April warning of the increases in COVID-19 related phishing scams.
What’s even more concerning is how effective these types of scams are. The security awareness training company KnowBe4 hosts mock phishing campaigns to help their customers increase phishing awareness across their organization. Since releasing their COVID-19 templates, they have seen an 8.8% click rate. For comparison, the report lists the scores for banking templates (3.73%) and templates claiming to be from the recipient’s own IT department (7.17%), both traditionally high click-through templates. And it’s not just the recipient of the phishing email that’s at risk. According to Verizon’s 2020 Data Breach Investigations Report, 22% of data breaches involved phishing attacks. But what is it that makes this such a lucrative time for scammers?
Let’s start with a brief explanation of the scam in question. Phishing is a form of social engineering, in which an attacker sends an email that looks like it’s from someone else, in an effort to defraud the receiver. In addition to phishing, there are two other types of related attacks: vishing (voice phishing) and smishing (SMS phishing). These attacks involve using phone calls and text messages, respectively, to achieve the same goals as phishing, and have become much more popular in the last few years due to the rise in mobile technology.
The emails sent in phishing attacks generally purport to be from a trusted source, like government agencies, financial institutions, high-level officials, or the victim’s own company. There are three primary types of phishing scams. The first type attempts to get users to voluntarily provide personal information, such as credit card numbers or login credentials. The second type attempts to trick victims into opening a malicious attachment. The third type tries to illicit money from a user through deception, such as selling fake products, soliciting for fake charities, or threatening legal actions if the user doesn’t pay. Whichever type of scam is used, human psychology is the bait these scammers are using to lure in their unsuspecting victims.
Phishing emails use many of the same psychological triggers that have been used by con artists for centuries. In fact, many of the same methods are also used by marketers to convince customers to buy their products or services. Scammers use these triggers in the hopes that our emotions will override our good judgement. Let’s take a look at some of the most common human emotions that can lead victims to fall for phishing scams.
Fear is the biggest emotion driving the recent success that scammers are enjoying. The current global pandemic has put a lot of us on edge, and we’re eager to seek out information to help protect ourselves and our families. Scammers have responded with waves of phishing attacks targeting Coronavirus and COVID-19. Some of these are selling fake products, some are promising a new miracle cure, and others attempt to get users to download malware disguised as statistical information. These tactics aren’t just limited to email scams either. A text scam in the U.K. informs users that they have violated the country’s quarantine restrictions, and directs them to visit a website to pay their fine. The linked website, a spoofed government site, then collects the user's credit card information.
While this is an especially effective time to use fear-based attacks, these tactics certainly aren’t new. Earthquakes, hurricanes, or any type of natural disaster are almost always followed by an increase in phishing scams. People seeking information about government assistance are frequently targeted by attackers posing as government officials, aid workers, or insurance representatives. In the wake of Hurricane Irma in 2018, FEMA issued an alert warning survivors of potential scams seeking to steal their identity or collect up-front payments for work that would never be completed.
Fear tactics can take several forms. First, the fear could be driven by the victim’s current circumstances. Someone who has been directly affected by a disaster may fear for the safety of their family. In this form, a scammer would pose as someone attempting to help the victim, possibly by offering to help register for government assistance (for a fee), or offering a service (with upfront payment). In other cases, the fear is driven by the scammer. Emails claiming that you’ve violated some law, or that the sender has potentially embarrassing information, play to this form of fear. Probably the most well-known scam of this type involves an urgent email from a government agency (ie. IRS, FBI, etc.) stating that you’ve violated some law and are facing severe punishment. The goal of scammers using this tactic is to convince you that you’re in danger if you don’t take the action they want immediately. Even recipients who know they haven’t violated any laws may still provide the attackers with their personal information in an effort to clear up the situation.
A desire to be involved and help other people is another common emotion targeted by scammers. The same events that trigger fear in many people, also trigger a desire to help those in need in others. Emails soliciting donations to help victims are often used by scammers to steal money and personal information from unsuspecting donors. Charities used in these types of scams could be made up by the scammers, or they may appear to come from well-known organizations, but link to spoofed websites controlled by the attackers.
Following local disasters, this type of scam becomes even more effective. While the event may only directly affect a single city, state or region. The desire to help those in need extends the pool of potential victims worldwide. For attackers, phishing is a numbers game, so the more people they can target with their scams, the more likely they are to get a bite.
Another type of scam that plays on our desire to help others is an email from a friend asking for help. This type of scam often comes after an attacker has successfully gained access to another victim’s email or social media accounts. Using the first victim’s friends and contacts, attackers send out emails saying that they are stranded in a foreign country and need money. The second victim, believing that the email has come from a friend and wanting to help, responds and sends money through wire transfer. By the time they realize that their friend was never even out of the country, it’s too late, and the money’s already gone.
Most people have an innate desire to do what is asked of them. We want to be liked by other people. Whether it’s people we work with or strangers we meet at the supermarket, most people want to be seen as helpful and friendly. When someone asks for a favor, we’re likely to go out of our way to help them. Scams exploiting this type of trigger often take the form of spoofed emails from the victim’s own company. Employees, seeking approval of co-workers or managers, will often act quickly when an email asks them to complete a task, perhaps without fully evaluating the request. An email that appears to come from HR may ask an employee to download and acknowledge a new policy, when in truth the email contains malware that will be installed on the user’s system when they open the file.
One way that we satisfy our desire for approval is through interactions on social media. When we post something, we want to watch the number of “likes” steadily rise. Social media companies know this, that’s why they make the number of reactions visible and why they send push notifications every time someone interacts with us. This is how they keep their users coming back every day. It’s also another way that scammers take advantage of this emotion. If a user receives a message from Facebook telling them that someone has commented on their post, or they have 20 new “likes”, it’s very likely that they’ll click on that message. When that click leads them to a page that looks just like the Facebook login, but is actually controlled by a scammer, they probably won’t hesitate to type in their username and password. Once the attacker has access to the user’s account, they can view personal information and use their friends list to find new victims to target. Additionally, due to the frequency of password reuse, they may even be able to gain access to the victim’s other accounts, using the same email and password.
Dreams of hitting a huge payday are another trait common to most humans. Hence the success of casinos and state lotteries. Although it’s unlikely that we’ll be the big winner, we still have that feeling that today may be our lucky day. Scammers have been using this desire for years, even before the internet existed. The most ubiquitous scam of this type is commonly referred to as a “Nigerian 419” scam. This type of scam can take several forms, but in general the victim receives an email from an unknown sender offering a large sum of money. It may be an inheritance from a long-lost, distant relative that you never knew, who made a fortune mining gemstones, or a plea to help the sender circumvent banking laws that are preventing them from accessing their money. One way or another, the sender has a lot of money, and they want to give most of it to you. All they need from you is a small advance-fee to cover some expenses, or your banking information, and they’ll get you your share.
This type of con has been around for a very long time. The current iteration is actually just a twist on the “Spanish Prisoner” scam that first appeared around the time of the French Revolution. Most people have heard of this type of scam by now, and one would think that the success rate would be dwindling in 2020. But it seems that Americans are still taking the bait, losing over $700,000 dollars to this type of scam in 2018.
No matter which psychological trigger a scammer uses, there are some steps you can take to make sure you don’t become another phishing victim.
- Sender Address: Look closely at the address the email is coming from. If the name the sender uses doesn’t match the email address, you should be suspicious. Additionally, if you know the sender, or the message appears to be from someone in your organization, make sure the domain matches what you expect.
- Spelling and Grammar: If the email contains a lot of grammatical errors and misspelled words, it should be a big red flag. Many phishing emails contain these types of errors, or just have wording that sounds unusual. Part of this may be due to attackers who don’t speak English natively, but it’s been suggested that these “mistakes” are actually intentional. The thinking is, in part, that if someone responds to the email, despite the mistakes, they’re more likely to fall for the scam. This saves the scammers from having to interact with people who they probably aren’t going to get any money from anyway. It’s all about efficiency.
- Links: Always inspect any links before clicking on them. How you do this will depend on the email client you're using, but for most web-based clients, when you hover over a link, you will see the full address pop up in the lower left corner. Make sure the link is going to the website you expect. Check carefully, as scammers will often register domain names using common misspellings of popular brands.
- Attachments: Never download attachments from unknown senders. Even if you believe you know the sender, if you’re not expecting an attachment, or the message seems at all suspicious, make sure you check with the sender through another communication channel to verify that they sent it. Additionally, make sure you check the file type prior to opening. If you’re expecting a PDF file, but the filename ends with .exe, don’t open it.
Unlike other cyber-attacks, phishing doesn’t rely on technological skills, but on psychological manipulation of the victim. Hopefully, recognizing the psychological triggers that scammers use will help you identify fraudulent emails before you become a victim. If you’re the owner or manager of an organization, make sure you’ve trained your employees on the dangers of phishing scams, and how to avoid them. It’s unlikely that phishing attacks will go away anytime soon.