Why We Click: The Psychology Behind Phishing Scams and How to Avoid Being Hacked

  • 07 September 2020

We all know the feeling, that awful sinking in your stomach when you realize you’ve clicked a link that you shouldn’t have. Maybe it was late at night, or you were in a hurry. Maybe you received an alarming email about a problem with your paycheck or your taxes. Whatever the reason, you reacted quickly and clicked a suspicious link or gave away personal information only to realize you made a dangerous mistake. 

You’re not alone. In a recent survey conducted by my company Tessian, two-fifths (43%) of people admitted to making a mistake at work that had security repercussions, while nearly half (47%) of people working in the tech industry said they’ve clicked on a phishing email at work. In fact, most data breaches occur because of human error. Hackers are well aware of this and know exactly how to manipulate people into slipping up. That’s why emails scams — also known as phishing — are so successful. 

Phishing has been a persistent problem during the COVID-19 pandemic. In April, Google alone saw more than 18 million daily email scams related to COVID-19 in a single week. Hackers are taking advantage of psychological factors like stress, social relationships and uncertainty that affect people’s decision-making. Here’s a look at some of the psychological factors that make people vulnerable and what to look out for in a scam. 

“More than half (52%) of those in our survey said that stress causes them to make more mistakes. ”

Stress and Anxiety Take A Toll

Hackers thrive during times of uncertainty and unrest, and 2020 has been a heyday for them. In the last few months they’ve posed as government officials, urging recipients to return stimulus checks or unemployment benefits that were “overpaid” and threatening jail time. They’ve also impersonated health officials, prompting the World Health Organization to issue an alert warning people not to fall for scams implying association with the organization. Other COVID scams have lured users by offering antibody tests, PPE and medical equipment. Where chaos leads, hackers follow.

The stressful events of this year mean that cybersecurity is not top-of-mind for many of us. But foundational principles of human psychology also suggest that these same events can easily lead to poor or impulsive decisions online. More than half (52%) of those in our survey said that stress causes them to make more mistakes. The reason for this has to do with how stress impacts our brains, specifically our ability to weigh risk and reward. Studies have shown that anxiety can disrupt neurons in the brain’s prefrontal cortex that help us make smart decisions, while stress can cause people to weigh the potential reward of a decision over possible risks, to the point where they even ignore negative information.

When confronted with a potential scam, it’s important to stop, take a breath, and weigh the potential risks and negative information like suspicious language or misspelled words. Urgency can also add stress to an otherwise normal situation — and hackers know to take advantage of this. Look out for emails, texts or phone calls that demand money or personal information within a very short window.

Hacking Your Network

Some of the most common phishing scams impersonate someone in your “known” network, but your “unknown” network can also be manipulated.

Your known network consists of your friends, family and colleagues — people you know and trust. Hackers exploit these relationships, betting they can sway someone to click on a link if they think it’s coming from someone they know. These impersonation scams can be quite effective because they introduce emotion to the decision-making progress. If a phone call or email claims your family member needs money for a lawyer or a medical procedure, fear or worry replace logic. Online scams promising money add greed into the equation, while phishing emails impersonating someone in authority or someone you admire, like a boss or colleague, cloud deductive reasoning with our desire to be liked. The difference between clicking a dangerous link or deleting the email can involve simply recognizing the emotions being triggered and taking a second look with logic in mind. 

Meanwhile, the rise of social media and the abundance of personal information online has allowed hackers to impersonate your “unknown” network as well — people you might know. Hackers can easily find out where you work or where you went to school and use that information to send an email posing as a college alumnus to seek money or personal information. An easy way to check a suspicious email is by looking beyond the display name to examine the full email address of the sender by clicking the name. Scammers will often change, delete or add on a letter to an email address. 

“Remote work can bring an overwhelming combination of video call fatigue, an “always on” mentality and household responsibilities like childcare. In fact, 57% of those surveyed in our report said they feel more distracted when working from home. ”

The Impact of Distraction and New Surroundings

The rise of remote work brought on by COVID-19 can also impact people’s psychological states and make them vulnerable to scams. Remote work can bring an overwhelming combination of video call fatigue, an “always on” mentality and household responsibilities like childcare. In fact, 57% of those surveyed in our report said they feel more distracted when working from home. Why is this a problem from a cybersecurity standpoint? Distraction can impair our decision-making abilities. Forty-seven percent of employees cited distraction as the top reason for falling for a phishing scam.

While many people tend to have their guard up in a physical office, we tend to relax at home and may let our guard down, even if we’re working. With an estimated 70% of employees working from home part or full-time due to COVID-19, this creates an opportunity for hackers. 

It’s also more difficult to verify a legitimate request from an impersonation when you’re not in the same office as a colleague. One common scam impersonates an HR staff member to request personal information from employees at home. When in doubt, don’t click any links, download attachments or provide sensitive data like passwords, financial information or a social security number until you can confirm a request with a colleague directly.

Self-Care and Awareness 

These scams will always be out there, but that doesn’t mean people should constantly worry and keep their guard up — that would be exhausting. A simple combination of awareness and self-care when online can make a big difference. 

Once you know the tactics a hacker might use and the psychological factors like stress, emotions and distraction to look out for, it will be easier to spot an email scam without the anxiety. It’s also important to take breaks and prioritize self-care when you’re feeling stressed or tired. Step away from the computer when you can and have a conversation with your manager about why the pressure to be “always-on” when working remotely can have a negative impact psychologically and create cybersecurity risks. By understanding why people fall for these scams, we can start to find ways to easily identify and avoid them. 

This article was originally published in Fast Company and was co-authored by Tim Sadler, CEO of Tessian and Jeff Hancock, Harry and Norman Chandler Professor of Communication at Stanford University