Jan 23 2015

Phishing Techniques Studied

Don’t click it. If you ever get e-mailed a link, no matter how authentic the e-mail looks or from whom it appears to be, don’t click it. If you feel you need to respond to the e-mail, then type the URL of the website directly into your browser. But never click it.

As simple as that rule sounds, it’s difficult for everyone to remember the rule all the time. One lapse of attention, and you can find yourself the victim of identify theft, have your credit card numbers stolen, or even all your passwords. Unfortunately there is a lot of money to be made in identity theft and there are many criminals out there.

So-called “phishing” scams involve sending out spam e-mails that are designed to provoke the reader into clicking a link which goes to a dummy website that will load malware on your computer that will mine it for passwords, identity information, and credit card information. Such scammers are getting better and better and provoking the click. 

A recent study looked at one aspect of the psychological dimension of phishing scams. Researchers at the University of Buffalo sent a fake phishing e-mail to 125 students (a frequent target of such scams). The e-mail said that there were problems with their university e-mail account and they need to click on the link which would take them to their account setting where they can resolve the problem. They added urgency by saying it had to be done soon or they would lose access to their account.

Of the 125 students, 49 clicked on the link immediately, and another 36 clicked on it after a reminder, for a total of 68%. The author, Arun Vishwanath, said of the results:

“…the text is carefully framed to sound personal, arrest attention and invoke fear. It often will include a deadline for response for which the recipient must use a link to a spoof ‘response’ website.

We found that these information-rich lures are successful because they are able to provoke in the victim a feeling of social presence, which is the sense that they are corresponding with a real person,”

The study was presented at a conference, and not published, so I can’t delve into the details. The press release does not mention any controls. I would find the results more interesting if the researchers varied various aspects of the e-mails to see what their impact was on the response rate.

While these results should be consider preliminary, the 68% response rate was impressive. What is clear is that phishing scammers themselves have been conducting a real world experiment, trying various tactics and evolving their scam to be more successful. Vishwanath does point out many of the aspects of these phishing e-mails that I often encounter as well.

Not a day goes by that I don’t get at least one, if not several, phishing scam e-mails. This may partly be because I work at a university, and they are common targets. I have received hundreds of e-mails over the years telling me I need to update my e-mail account immediately.

This is an effective strategy. Although I have never fallen for it myself, I often have the intended immediate reaction and then have to remind myself that it is a scam. In a typical busy day I often quickly go through my hundreds of e-mails looking for the ones I need to respond to or that indicate something I need to do. Life is also full of countless small logistical details that need to be managed. I get many legitimate e-mails telling me I need to attend to some such detail, and if I don’t take care of it right away it’s likely to get swallowed by the avalanche.

This situation is a perfect setup for making a quick mistake. The closest I came recently was when I received an apparent invoice from iTunes informing me that someone charged almost $100 on my account for some movies and songs. I have two daughters with access to my iTunes account, and I monitor their activity, so my immediate reaction was that one of them committed the purchase. I never clicked on the offered link, but it took me a full minute to realize that it was a scam and that I did not need to confront my daughters that night when I got home.

As you can see, these scams play on emotions, fear, worry, anxiety, anger, greed, etc., and try to invoke what Vishwanath refers to as heuristic thinking – an automatic pattern of thinking that leads to the desired action, clicking the link.

Vishwanath emphasizes in his paper that part of the scam is to create the sense of a personal presence, that there is a real person on the other end of the e-mail. This feeling puts us at ease and makes us more likely to trust and provide personal information.

Whatever the specific strategy, all of this amounts to pushing our psychological buttons. Con artists have always been good at doing this – such psychological manipulation is, in fact, the very heart of being a con artist. Phishing scams are cons, they are just accelerated by communication technology, and can target tens of thousands of marks at once.

Unfortunately everyone just needs to learn basic rules of how not to be conned. As I stated above, rule #1 is – don’t click it. No matter what, do not click a link embedded in an e-mail. No legitimate company will ever ask you for personal information over an e-mail.

There are clues that a link may be bogus. For example, if you mouse over the link it may display a different link than what is in the text. This is almost certainly a scam. Or, the link may be to something like, “www.links.companyname.com/524234.” In other words, there is something before the recognizable company name. It isn’t really Amazon’s website. But even without such clues – don’t click it.

If an e-mail appears to be from someone you know, that can still be a scam. They may have hijacked your friend’s address book, or they are simply spoofing the origin of the e-mail.

Be aware of the fact that phishing e-mails are designed to make you have an immediate reaction, to think that you have to act quickly to avoid some problem or perhaps reap some reward. Don’t buy it. No one in Nigeria will actually send you millions of dollars. Bill Gates is not testing new e-mail software. You did not win the Irish Sweepstakes you never entered.

Never reply to an e-mail with personal information.

Use effective passwords on all your accounts, make them different, and change them periodically. Using a password manager is probably a good idea.

All of this applies to smartphones and texting as well. You can receive phishing scams in text messages.

In essence you need to add a filter to your thought processes, quickly evaluating every bit of technological communication you receive, asking, “is this a scam.” It’s tiresome, but it is basic protection in today’s world.

The problem is, of course, that this is exactly the kind of thing at which people are not very good, specifically eternal vigilance without any lapses. Therefore, even with extensive public education about scam protection, enough people will make mistakes enough of time to make phishing profitable. This further means that phishing scammers will continue their cons, and continue to make them more and more sophisticated.

Software solutions, ones that provide constant protection, would be much better. There are, of course, plenty of anti-malware applications out there, and you should use them. But they are not perfect either. I wonder if it’s really even possible to have solid protection from installed applications. Perhaps operating systems themselves need to have more built in protection.

Given the growing problem of internet scams and the growing use of information technology, this seems like a problem deserving more study.

21 responses so far