Insight from IT Security – Why Phishing Works

by Kerry LeBlanc

A successful phishing attack accomplishes two basic goals: it gains the trust of victims and it exploits their emotions. This technique is known as Social Engineering and is often the first step in a breach. A social engineer is a person who uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Take, for example, those classic advance-fee scams that promise a large sum of money for a small up-front payment. You would never fall for one of those, right? Of course not. They’re incredibly easy to spot, thanks to their “too-good-to-be-true” nature. But other phishing scams are more advanced.

Imagine a friend of yours is looking for a job. She posts her resume on various sites and sends out applications. Then, she finally receives an email, which appears to come from LinkedIn™, with a great job offer. All your friend has to do is click the link and upload her personal details. But is it a scam? More importantly, would your friend, who has been on the job hunt for several months, even question its authenticity?

Now let’s flip roles. Let’s say you handle the forms of new patients and you get lots of emails from doctors with attachments. How difficult would it be for a social engineer to push a malicious attachment, disguised as a medical form, to your inbox?

What about emails that appear to come from someone you know? Let’s say the Boss sends you an email saying he needs you to get some iTunes™ cards or change his bank account info. How would you respond?

It is easy for social engineers to leverage emotions like compassion or concern against their targets. It gets even easier when their targets are rushing from task to task and not paying attention.

Simply put, people fall for advance-fee scams. People fall for fake job offerings. People fall for emails from attackers posing as the Boss. Trust, desperation, and willingness to help: these are some of the most effective weapons of scammers. Be vigilant and stop, look and think for a second or two, before you click on that link or open that attachment. If you suspect it is malicious, forward it to [email protected].

Download a Copy of the Phishing Identification Checklist to Keep at Your Desk