Why do we still fall for phishing?

Despite decades of experience and millions of combined hours of awareness programmes we’re still clicking on dodgy links.

In the 18^th Century, a tidy living was to be had by the 419 scammers of the day through so-called "letters from Jerusalem". These letters, supposedly sent by distressed aristocrats imprisoned by revolutionaries in France (victim and jailer would vary according to events), played on the heartstrings and self-interest of their recipients. The guards had proved bribable, the imperiled aristo would say, and on their release those goodly souls who had helped them escape would be richly rewarded. These scam letters enjoyed a reported success rate of 20%.

Fast forward a couple of centuries and millions of people were surprised, and possibly delighted, to receive an email headed ILOVEYOU in their inbox. Email was still relatively new in the Year 2000 and self-spreading malware largely unknown. Suffice to say, enough people clicked on the attachment LOVE-LETTER-FOR-YOU.TXT.vbs for it to take down 10% of all internet-connected computers, cripple government departments and cause banks and businesses to grind to a halt all around the world.

Fortunately, though, it taught us all a valuable lesson though. Never click on a suspicious link. And we all lived happily ever after.

Or did we?

[Spoiler alert] No.

Despite decades of experience and millions of combined hours of awareness programmes clicking on suspicious links and responding to bogus messages remain as popular today as they’ve ever been. More so in fact.

Phishing, the most common intent behind dodgy links, is the act of illicitly obtaining authentication details and personal data, and it’s the precursor to almost every kind of cyberattack. And almost every study out there shows that phishing rates are increasing.

So why are we still falling for it?

A numbers game

One reason is that phishing is a numbers game and there are simply more phishing attempts than ever before. Most studies show volumes are rising fast, including one by KnowBe4 which found a 17% rise in the 6 months to February.

This trend is backed up by a Computing poll of 70 UK IT leaders, where 73% said volumes are increasing.

Not only are there more phishing attempts but there are many more vectors, including SMS, QR codes and social media, and for phisherfolk every new vector is a new opportunity. In 2000 email was shiny and new and malware largely a mystery to the public, which is why millions fell for ILOVEYOU. We now have deepfakes, phone phishing using voice imprints, and we have social engineering via LinkedIn and TikTok that use the vast amounts of information we leave lying about online.

“Nicely formatted accurate text - sent whilst the director was abroad, saying that they needed certain things. Really nicely timed - clearly the social media was being monitored allowing a targeted attack.” CITO, Higher education

Pride comes before a phish

So there are more phishing messages, more delivery routes, and more information out there on all of us. But on the other hand we now have secure email gateways, spam filters, threat intelligence, strong password generators and awareness programmes. How come we’re still getting duped?

Two words Dunning and Kruger. People most likely to fall for phishing are those who believe they are not the sort of people who would fall for phishing. Congratulations on not falling for phishing! Please complete this form so we can send you your prize. Click.

Phishing is more about psychology than technology. It’s about catching us off guard at moments of weakness in our busy, confusing, multi-tasking lives.

Phishing as a service

Two more words, professionalism and automation. Early phishing and scam operations were pretty amateurish. The African prince may have been fabulously wealthy, but he couldn’t spell for toffee. Today’s grammatically challenged scammers are more likely to hand things over to people who know what they are doing. Phishing-as-a service is a fast-growing phenomenon where gangs do all the hard work for you. For a very reasonable fee they’ll select the targets, craft a message, and set up spoof login sites to capture credentials, sometimes on a no-phish no fee basis.

They have all sorts of tricks up their sleeves to evade secure email gateways, bypass MFA and exfiltrate data. Increasingly they use polymorphic messages that change slightly every time to avoid creating a fingerprint. They can impersonate messages from dozens of email providers, from Gmail to Outlook on down, and all this is automated as PaaS.

And of course they are using AI in many different ways. The KnowBe4 study found that 82.6% of all phishing emails analysed exhibited some use of AI. Correcting spelling and grammar is an obvious use case, as is translating messages into different languages. Another use is adding a unique personalisation element to each message – a form of mass customisation that makes them both harder to detect and more likely to be opened.

Fortunately though, they still leave telltale signs. The spelling and grammar may be far better, but GenAI has a certain recognisable style of its own and the all-important context required for believability may be missing.

“The English is better, but the context is often worse than if human generated,” CTO, Retail

“… good English but complete irrelevance based on a misunderstanding of our organisation.” Professor, Higher education

This suggests that attackers may be putting too much faith in their new tools, but no doubt they will learn to up their game.

Business email compromise

Another growth area is business email compromise (BEC), where attackers gain access to a genuine account, commonly via credential stuffing of Microsoft 365 or Google Workspace and use it to send fraudulent requests to colleagues, clients or partners - commonly to transfer money, but also to obtain authentication credentials for other accounts – more phishing. Again, automated tools now allow credential stuffing at scale.

BEC messages may take the form of fake email chains including messages apparently from other colleagues. These can be extremely convincing, and if they appear to come from a senior executive, more junior staff will be unlikely to question their veracity and liable to act on them.

In the past year there has been a 57.9% increase in attacks sent from compromised accounts getting through traditional detection, according to a recent study.

“Vendor email compromised, attempts to change bank account details with convincing email dialogue…” Director, Business services

Related to BEC is simjacking and other phone spoofing methods, where the attacker again hijacks trust.

“Our financial controller received SMS messages that appeared to come from the MD's phone number. He was looking into the request (to pay a supplier), luckily he checked with the MD on another channel...” CTO, Consultancy

Increasingly deepfake videos are being used to impersonate executives on video calls and fake corporate communications too. (See Accenture: What we learned when our CEO got deepfaked).

Multiple devices

On a large screen it might be quite easy to see that an email has come from [email protected] or [email protected], but it’s not so easy on a smartphone. And these days many of us are across all devices all the time.

Bogus websites, sometimes visited after scanning a dodgy QR code (quishing), are also very hard to recognise on a tiny screen.

90% of Computing’s survey respondents said their organisation or partners had been subject to email phishing with 51% mentioning SMS phishing attempts.

20% said they were aware of voice clones being used for phishing, another area that’s on the rise as voice clones become easier to make and more convincing.

At the other end of the form factor scale from mobile is cloud computing. 83% of respondents felt that cloud is a special case when it comes to protecting against phishing.

“Cloud services are by design omnipresent and accessible through multiple channels and therefore backdoors - so a zero-trust approach needs to be taken,” CDIO, professional body

“Environments such as M365 are vulnerable and need robust procedures and MFA in place...” CIO, Education

“The cloud services are outside our firewalls, so it's much more difficult for us to control the traffic or detect attacks. We need to rely on third parties...” IT manager, Education

Phishing awareness training

The writers of the “letters from Jerusalem” enjoyed a 20% hit rate, but their modern equivalents can get by on a tiny of fraction of that figure, because they have so many more options and can operate at a massively larger scale. And they only need to be successful once, while we, their intended victims, need to be successful at warding them off 100% of the time.

Unfortunately, though, we’re stuck with our monkey brains and their predictable drives. We will always be susceptible to new lures, even those based on age-old themes. We are pathetically hackable. But we can try to hack our own brains against our impulsive behaviour by teaching ourselves to step back, think and pause before acting.

However, phishing awareness training received a mixed response from our audience. “Better than nothing” was the judgement of 24%. One IT head commented: “Users hate it”.

Unquestionably, training is hard to get right. It needs to be role-specific, targeted and above all interesting.

“It is very effective for some users, particularly inexperienced and less technically competent ones. For experienced users it is usually pretty obvious and boring...” Software director, Manufacturing

It should also be an ongoing process too, with follow-up on initial training, and blame-free interventions when, as will inevitably happen, someone clicks on a link.

Technical defences

In terms of tech deployed against phishing, the big one (after firewalls and filters) is some form of multi-factor authentication (MFA). It’s not 100% foolproof, but MFA will frustrate many attacks that would otherwise get through.

However, only 40% of businesses use MFA, according to the government's latest Cyber Security Breaches Survey. In the Computing survey the figure was 90%.

For many, MFA, no doubt, is just another of those things that drops down the agenda. Extra support hassle for the overworked IT team, unwelcome friction for users, no buy-in from management. But its absence in so many businesses may go some way to explaining why phishing rates are high and rising.

Multi-factor authentication

MFA comes in various styles and formats. Among the Computing readership, the most popular were authentication apps of the type provided by Google, Microsoft and third parties. These will stop most attempts, but a skilled hacker with access to a website’s back-end database could still gain access to the secrets.

Next came one-time passwords (OTPs) sent via SMS or call. These are most convenient but least secure. In fact most experts advise against their use, although combined with another factor they can be effective.

Third were biometrics (fingerprints, facial recognition, voice recognition, retinal scans, etc). These are convenient and more secure than OTPs.

Fourth were passkeys, a unique digital key stored encrypted on the device that can’t be reused. These are being marketed as much more secure and convenient password replacements, but depend on device compatibility and acceptance by websites.

One of the most secure are hardware keys, such Yubikeys, but these lose out on convenience (in that they can be lost) and cost factors, which might explain their relatively low position in fifth place.

Whatever the type of MFA there are always ways around it, from induced MFA fatigue (spamming the user with fake messages), to token theft and Machine-in-the-Middle attacks. Plus, of course, there’s good old social engineering.

Which brings us back to our original question: why do we still fall for phishing? Basically, we always have fallen for scams and we always will, because we’re human. We’re busy, distracted, predictable and we use lots of devices. What’s more, unlike our adversaries, most of us don’t think about cyber 24x7. It’s not our full-time job, it is theirs. They’re innovative, well-resourced and they’re good at it. We can get better at recognising phishing attempts but methods are constantly evolving and sooner or later one will get through.

As ever with cyber defence, there is no silver bullet, but regular high-quality awareness training, MFA and secure gateways really should be a bare minimum for all organisations these days.