Phishing attacks typically employ any of three main components: obedience, urgency or curiosity. Speaking from experience, the obedience and urgency vectors have a higher success rate. The reason is straightforward: people don’t want to cause a fuss or delay and, if their boss asks them to do something, they’ll most likely do it without question.
The Milgram experiment is a famous demonstration of the power of obedience and the lengths someone would go to if instructed by an authority figure.
The basic premise was as follows: would an ordinary person, when ordered by an authority figure, administer an electric shock to another participant in the study (actually an actor), even if the shock would be fatal?
All participants delivered at least a ‘dangerous’ level of shock and two-thirds delivered the maximum available shock. Even though the shocks were of fatal strength, the subjects continued simply because they were ordered by the accompanying scientist (who in this scenario was the authority figure).
Urgency is commonly combined with obedience to give the latter extra force, since we are prevented from properly assessing the situation at hand and, instead, must make a decision under pressure. As a result, we are likely to default to a known or predictable pattern (in the case of phishing - complying with the request).
This can be epitomised by the rise of ransomware, where users are given a time limit to pay hackers before the cost increases. The pressure of losing files is compounded by the countdown on-screen, and its cost is expected to rise into the billions by the end of next year.
Ransomware is so profitable it could overtake ‘whaling’ as the primary method of extorting money from a business and it is certainly garnering more press coverage since the start of 2017. Ransomware requires minimal planning and can target a vast number of computers, whereas whaling requires in-depth research and is limited to a small number of businesses at a time. Take WannaCry as an example, which affected several hundred thousand machines in a matter of days.
Curiosity, which also encompasses reward, is arguably the least effective. Simply put, there isn’t as much incentive for someone to respond to a request if they do not lose anything by not complying.
For example, if a phishing email uses the premise of ‘Click here to enter the draw for a free laptop’, a lot of users will simply ignore the email as it might not be considered worth the effort or appear highly suspicious. Contrast this with your CEO asking you for help and the penalty for not obeying is clear.
Additionally, curiosity can have negative connotations. A common attack is to send a user an attachment ‘in error’, such as another employee’s salary information, in the hope that they open it. In this instance, the recipient may not open the file for fear of repercussions or dismissal, and so the attack will fail.
Always be aware of emails which ask you for an urgent request or reward you for performing an action. Even if the email appears legitimate and from a known address, you should approach it with caution and properly vet the sender before responding to it.
About the author
Alec Auer, BA (Hons) OSCP CRT has been a penetration tester with First Base Technologies for several years and conducts various types of penetration and compliance testing, including infrastructure, web application, email phishing and cyber essentials. He has also achieved the Offensive Security Certified Professional (OSCP) qualification and is a CREST Registered Tester.