Joanne Hinds writes about phishing attacks and what psychological research is revealing about how and why criminals successfully scam their victims

It is easy now to manage almost all aspects of our lives online, from finding a job to booking a holiday. In doing so, we unavoidably have to disclose personal data in the form of bank account details, addresses, where we work and even our hobbies and interests. But in addition to making our lives easier, these online interactions also provide criminals with increasing opportunities to intercept data for their own means. One technique used by criminals is known as phishing, which is where criminals masquerade as reputable individuals or organisations in an attempt to lure individuals into disclosing their personal details.

Phishing attempts typically take the form of emails requesting information or links that prompt an individual to disclose their data. Classic signs of fraudulent emails may be recognisable to most, for example, subjects such as, “You have inherited £1,000,000”, or emails that are filled with poor spelling and grammar. While spam filters tend to remove most unsolicited emails from our inboxes, criminals are using increasingly sophisticated techniques that enable fraudulent emails to bypass the filters and appear to be far less suspicious than they used to.

“You have inherited £1,000,000”

Take, for example, a recent scam that targets homebuyers. After exchanging numerous emails with their solicitor, individuals receive an email that appears to come from their solicitor, asking for the deposit to be transferred. Instead, the email is fake and the money is transferred to the criminal’s account. By hacking into email accounts, criminals can establish that individuals will transfer their deposit and complete their house purchase soon. In turn, they carefully mimic the style and layout of the solicitor’s emails and produce a convincing counterfeit that goes unquestioned by the recipient.

The home buying example highlights a number of specific influence techniques used by criminals to convince people to disclose information. First, trust has already been established between the solicitor and recipient, so an email that appears to be the same as previous correspondence does not arouse suspicion. Second, if the email content aligns with an individual’s expectations, (i.e. the recipient was waiting for a prompt to transfer money), then it is also unlikely to be questioned. Third, house purchases tend to be rare, one-off purchases in contrast to day-to-day transactions. In this situation, an email from a respected figure of authority who handles these transactions daily can exploit someone who may have less experience/knowledge.

It is likely that the success of different influence techniques will also be affected by various circumstances. To date, the evidence of how different contexts influence an individual’s susceptibility to phishing is limited. However, preliminary research suggests that phishing success may be linked to certain personality traits, motivation, attention and workload. Some examples of these include:

In a new CREST guide, we outline the main approaches to phishing and the reasons people click on phishing links, covering:

  • Different types of phishing techniques – the approaches used to target individuals and companies
  • The various types of influence techniques – communication methods and emotional strategies used to encourage users to click on links
  • Strategies that users and organisations can implement to avoid phishing attempts being successful.