Phishing Attacks: Why Does Everyone Still Fall for Them?

This article was originally published on CPO Magazine but has since been edited.

Spear phishing is a form of targeted cyberattack in which threat actors attempt to gather sensitive corporate or personal information via deceptive emails and websites. But why are phishing attacks successful?

Weren’t the corporate security awareness training videos on spotting suspicious email links effective enough? Why haven’t email security products already solved this problem?

Phishing scams still have a worryingly high success rate. Research from 2020 found that 91% of all cyberattacks begin with a phishing email to an unsuspecting victim. In mid-April of 2020, Google’s Threat Analysis Group reported that they detected 18 million COVID-19 themed malware and phishing emails per day. The Verizon 2021 Data Breach Investigations Report found phishing to be the most common attack tactic, with 36% of all breaches involving phishing in some way.

And that’s without including business email compromise, invoice fraud, payroll fraud, and other email attack variants that continue to steal money, data, and peace of mind from their victims.

In this article, you’ll learn why our brains are destined to fall for phishing campaigns eventually, how cybercriminals have adapted to modern work practices, and tips for how to contain ongoing phishing threats.

Why are Phishing Attacks Still Successful?

As cyber threats evolve, it becomes harder to identify singular points of compromise within an organization. Rather, it’s a combination of factors that contribute to phishing scams’ growth and success. Here are four reasons why phishing attacks still work.

Our Brains are Wired to Make Quick Decisions

It’s not us -- it’s our brain. Daniel Kahneman’s book, Thinking, Fast and Slow, introduces us to two information processing and decision making systems our brains have:

• System 1 is the automatic, unconscious, and fast mode of thinking, offering little to no rationale behind its actions.
• System 2 is the slow, methodical, and analytical mode of thinking, skeptical and rational by default.

Security awareness training programs require us to operate in the System 2 mode of thinking, encouraging us to be suspicious of emails we receive.

The truth is that we humans fall for phishing emails not because we’re stupid or lazy or don’t apply the training we receive. Instead, we fall for phishing attacks because we’re busy juggling scores of pending tasks.

Putting every email under a microscope is a laudable goal, but when our inboxes fill up with hundreds of unreads every day, the microscope usually gets put on the shelf. With information assailing us throughout our workday, the only way for our brains to survive is to operate in System 1 thinking whenever possible. Taking quick action on some (or all) of these tasks is the most effective way to get through the day.

Cybercriminals know this and have adapted their phishing attempts accordingly by using highly effective social engineering techniques.

Phishing Attacks Copy Our Existing Workflows

Digital communication and technology are an integral part of our lives. This has resulted in many workflows that happen over email, often with automated emails that encourage quick human action.

Unfortunately, many of today’s email attacks replicate these workflows to trick victims into reverting to muscle memory before the brain catches up to what’s happening.

Think of any email workflow, and there’s a phishing attack lurking underneath:

• Password reset or software payment emails? Email attacks impersonate service providers to get login credentials and more.
• Fulfilling vendor invoices? Scammers pretend to be vendors to steal money and data.
• Collaborating with peers on online documents, forms, or sheets? Cybercriminals exploit every free service available and turn it into an attack vector.

Social Engineering Techniques are Very Effective

As security technologies have gotten better at detecting malicious links, many email attacks now avoid links altogether and use social engineering techniques to plant their payloads. Here are some typical phishing lures:

• Emails regarding compromised email addresses or passwords
• Emails supposedly from the IRS or law enforcement
• Emails about COVID-19 treatments or vaccines

In addition, scammers use email subject lines to create a sense of urgency or familiarity to prompt quick action. Be on the lookout for subject lines that include these terms or topics:

• Request
• Overdue
• Hello FirstName
• Payments
• Immediate Action

Other kinds of malicious emails play on your hopes, dreams, and goals, promising inheritance payments, requests for donations to worthy causes, or emails informing you that you’ve been selected for something you’ve always wanted.

When attackers target people with words, even the most technical and security-aware among us aren’t immune from compromise. A recent social engineering scam expressly targeted security researchers under the guise of collaborating on vulnerability research and security awareness. The irony here is undeniable.

Cybercriminals are Using New Tools

Unfortunately, you don’t need to be a genius to run a phishing scam. Phishing kits and mailing lists are available on the dark web, enabling cybercriminals to run successful phishing campaigns with just a few clicks. Once a phishing kit is installed on a server, the scammer can send emails to unsuspecting victims.

How to Contain Phishing Attacks: 3 Tips

While we all may be destined to fall for a phishing attack eventually, there are best practices you can follow to limit the occurrence and impact of these attacks.

Bring Security Awareness Programs Closer to Reality

To complement security awareness programs, your organization should consider educating end-users when real-life suspicious emails hit their inbox.

In-context education like email warning banners can inform users with relevant examples from their inboxes without negatively impacting their existing work behaviors. These banners can also include buttons for end-users to mark the emails as safe or suspicious, taking some load off the security team.

Get a 5-minute product tour of Armorblox

Use MFA on Accounts and Workflows

Enabling multi-factor authentication (MFA) on business and personal accounts is now a cybersecurity best practice. However, having MFA on only business accounts doesn’t solve the entire problem because cybercriminals can still compromise employees’ personal accounts and use those accounts to wreak havoc.

Employees should be encouraged to create their own lines of authentication for any email that makes unusual requests related to money or sensitive information. For example, has a vendor emailed the accounts payable team with a sudden change in their bank account details, right when an invoice is due? The team should call or text the vendor and confirm that they sent the email. Even if the vendor is very busy, they will undoubtedly appreciate your caution.

Expect and Prepare for Spear Phishing Attacks

Why is spear phishing so effective? Mass phishing emails are essentially a thing of the past. Instead, today’s successful phishing attacks are more likely to be spear phishing attempts: messages that come from a trusted entity, like managers, vendors, or reliable technology brands.

Spear phishing emails will also include just enough context to make victims feel legitimate communication is happening. Since scammers are weaponizing organizations’ data in their attacks, it makes sense for organizations to leverage the same data (and more) in their email security stack.

Your business should ensure your security solutions measure communication baselines to identify what’s normal and what isn’t. This enables you to spot anomalies and catch targeted phishing attacks that would otherwise slip past binary detection techniques.

• Did an employee email the payroll team from their personal account, asking to change direct deposit details one day before payday?
• Is an employee suddenly forwarding tons of emails to their personal account after logging in from an unusual location?

When email attacks lack traditional payloads, understanding and learning from an organizational context like this is vital.

Eliminating phishing attacks altogether is a pipe dream. However, the intent is not to achieve a mythical level of perfection but to raise the bar for cybercriminals, making it as tough as possible to achieve their nefarious aims.

Investing in modern email security software is your best bet in countering phishing attacks. Modern email security goes beyond simple blocklists and manual policies to protect your human layer from compromise: by analyzing thousands of signals, learning from every organization and user’s communication patterns, and automatically remediating threats before they cause harm.

To learn more about how Armorblox stops phishing attacks, take a 5-minute product tour below.