For the past few years we have discussed the power of emotion in phishing emails. This is never more valuable to understand than during the upcoming Valentine’s season. The traditions of gift giving to current partners and the romanticized notions of hearing from a secret admirer are so firmly ingrained in our minds that we become easy targets for scam artists.
As highlighted in the PhishMe® 2017 Enterprise Phishing Resiliency and Defense Report, entertainment, social and reward based simulations (e-cards are the most effective in each category) rise to the top of our susceptibility charts, with average response rates ranging from 13.8% to 19.5%.
A deeper dive into the data shown above indicates that holiday e-cards averaged 25% response rates in 2017. Each year, individual Valentine e-cards simulations (see sample below) pull even higher rates, at times reaching above 50% response.
Too often we fool ourselves into thinking that a phishing email has to be complex in order to trick users. As you can see, there is nothing complex about the sample below, yet its effectiveness is off the charts.
This is because love, and other strong emotions, blind us from our rational thought processes just long enough for us to react without thinking. The part of the brain that registers emotions, the amygdala, kicks in (you may know it as the “fight or flight” response center, though it does much more). We literally cannot help ourselves, because this area of the brain activates before rational processing.
While effective in helping us avoid immediate dangers, the amygdala doesn’t recognize love as something to fight or flee from. In fact, it’s quite the opposite. Our instincts and desire to connect with others override our safety mechanisms and we run towards, rather than away from, an unrecognized danger.
This creates the perfect set-up for malicious actors to take advantage of unwitting victims. In fact, this approach is so prevalent that it has its own name, due to its widespread use on dating sites and other social media platforms: catphishing.
And it doesn’t stop there. So many people have been compromised by the “romantic relationship” approach that it’s considered a standard social engineering practice to develop personal relationships with people in positions of influence or power, the better to manipulate them later.
Does this mean we should classify love or romantic interest as a security concern?
Absolutely it does, and this would not be a new position to take. For decades, the best of the best in the FBI, CIA and other organizations have been trained to recognize and avoid romantic interests that suddenly appear. As security professionals, we should be following their lead.
As a first step, take the time to incorporate the phishing model above into your anti-phishing program and measure your users’ abilities to recognize and report these threats. Then go further with your follow-up efforts. Teach your email recipients about the use of similar tactics on social media platforms and in person.
Remember, if we don’t immerse our users in this experience safely their behaviors will not change, and they will not recognize the dangers that love and romantic interest can present. While it may not be the easiest to discuss, this is a security concern worth highlighting and there is no better time of year to do so.
In the end, our social paradigms must be reset to recognize overwhelming emotion as a trigger for validation before response, especially when it comes to phishing, social media usage and blossoming relationships.
Learn more about emotions and phishing.
