“Congratulations! You have just won 30 million euros – follow the link to grab it!”, said the message I received last week. Honestly, it was too much to be true, it was in fact a phishing attack. However, manipulation of human emotions is what cyber attackers do. Methods they use are borrowed from practical psychology and relate to social engineering. Playing with human feelings, fears and reflexes allows cyber criminals to gain access to the information they look for.
When creating phishing email messages, attackers have two main goals: gain the user’s password or try to force a certain file download. Unfortunately, the level of user awareness about modern cyber threats is still rather low. In this post I will describe the basic techniques to help you recognize a trap.
“Update Needed: Verify Your Payment Information”
When you work hard, you receive and reply tons of emails every day. It can be difficult to focus on every message, whether you work in the office or from home.
You get an email message that contains an attachment or a link in its body. Lack of attention especially re-enforced by respect for authorities can persuade you to open the document without checking it twice.
“You’ve been hacked – please, change your password”
Our digital profiles are as precious as gold for us. Business and personal data, access to social networks and online banking – it is all online. Anybody would be scared to have their money, data and reputation compromised.
Fear especially boosted by the sense of urgency would make ordinary users go to change their passwords straight away, clicking the link in the email. Unfortunately, it would lead to a phishing web page looking identical to the real one.
“Your message wasn’t delivered”
You receive an email stating that some messages were not delivered due to server problems. What if you missed something important?
Many people are curious by nature and cannot resist the temptation to click the link, even if they have not sent any message recently. By the way, it is one of the most popular methods to conduct a phishing attack.
“Your mailbox is almost full – please, increase its volume”
Oh no! It is never the right moment to receive such a message. Especially if you are in a hurry, accomplishing a few urgent tasks while attending a call with colleagues.
Following the link, you can even find your login already there, so you are just entering your password and… you get hacked!
Recommendations
- Do not blindly follow instructions in the email, especially those that prompt you to perform certain actions here and now. Carefully check the sender email address
- If you receive a message you have nothing to do with, it is better to delete it
- Courts or other authorities would hardly send their decisions and overdue load notifications by email. In most cases you would receive a good old paper letter
- Do not click suspicious links in the messages, even if they are from your friends or some official addresses – they can be compromised. Pick up the phone and call to verify!
- Do not be fooled by the sense of urgency. Take your time to verify email that requires you to take some actions
Learn more about the way you can train non-IT teams inside your organization to recognize manipulation of human emotions attempts alongside the other basics of cyber security awareness.