LAS VEGAS--Phishing has proven to be one of the more difficult security problems to solve, and new research from Google shows that it’s not just because humans are gullible. It turns out the attackers are pretty good at their jobs.
One of the most threadbare tropes in security, especially when it comes to phishing, is that human error is to blame for most of our problems. If only we could remove humans from the loop, everything would work perfectly. Of course, this is neither true (see: self-driving vehicles) nor helpful in crafting effective defense. Sure humans make mistakes and click on malicious links and fall for phishing scams, but it’s not always because of ignorance or indifference or carelessness. Quite often, it’s because the people crafting those phishing emails and creating the campaigns understand human psychology and know how to target their messages to create emotional responses.
In most cases, phishing campaigns are designed to separate victims from their money, but while the goal may be the same, tactics and techniques vary widely and evolve quickly. Google’s Gmail service blocks more than 100 million phishing emails each day, and 68 percent of those messages are ones that Google’s systems have never seen before. Phishing campaigns also are often quite short-lived, with the average length of a boutique campaign being just seven minutes, according to Google’s research. The rapid evolution of tactics makes phishing detection a serious challenge, even for sophisticated companies such as Google. It’s also quite difficult for individual people to detect, a fact that phishers know and use to their advantage.
A new study conducted by researchers at the University of Florida in cooperation with Google found that successful phishing campaigns use specific emotional triggers.
“Successful spear phishing emails apply psychological principles of influence – authority, commitment, liking, perceptual contrast, reciprocation, scarcity and social proof,” the new study says.
“These principles of influence exploit common human heuristics that are often beneficial in simplifying decision-making, but can also result in misrepresentation, and can lead to deception. The effectiveness of these weapons in spear phishing emails can be increased when the email places the weapon in a life domain context that is relevant for the user, such as the financial, health, ideological, legal, security, and social domains.”
The researchers presented their results at the Black Hat USA conference here, and in addition to the findings on emotional responses, they found that targeted phishing is more common and effective than bulk campaigns. The massive phishing spam runs pushing pharmaceuticals, lottery scams, and gift cards are still out there, but those emails rarely make it into users’ inboxes these days, thanks to better detection methods. The ones that present the clear and present danger to most people are the spear phishing or boutique phishing campaigns. Spear phishing targets a handful of individual people or organizations and boutique campaigns go after a few dozen companies or people. Google’s numbers show that enterprises are 4.8 times more likely to be targeted by phishing campaigns than any other group.
The University of Florida study involved 158 people of varying ages and found that older people, particularly women, were most susceptible to phishing. While highly targeted and well-crafted phishing campaigns can be effective, there are some equally effective defenses. Awareness of phishing is the first line of defense, and automated detection systems like those deployed by Google and other providers are key, as well. But the most effective defense is implementing two-factor authentication for individual accounts. Google’s statistics show that using a hardware security key is 100 percent effective against both spear phishing and boutique phishing, and device-prompt based 2FA is 99 percent effective against boutique phishing.