A different kettle of phish

Opinion: The theme of Fraud Awareness Week this year was investment scams, with MBIE announcing that $200 million was lost to scams over the past year. We’re all, even those of us who aren’t planning to invest, vulnerable to the myriad influencers in our myriad devices, persuading us to share bank details, passwords and so on.

Phishing is one type of scam, in which the attacker typically masquerades as legitimate institutions. Readers may be familiar (unfortunately) with the one claiming to be Waka Kotahi, warning you that your car registration is overdue. Or the one claiming to come from the IRD telling you you’re entitled to a tax refund and/or a cost-of-living payment, with the link to fake websites.

There have been considerable technical advances in blocking such phishing attacks, but they can’t yet fully prevent some slipping through the net and ending up in our inbox. Which is where and when we – the humans – remain the last line of defence. But like populations dealing with a virus that we haven’t been exposed to before, we can be naïve in our response. And don’t take this personally, but chances are they have gathered personal information about you, your age, your job, even what time of day you are likely to be vulnerable to phishing.

Much of the research on cyber security has focused on the technical side, how we (and institutions) can use technology to protect us from phishers and other scammers.  My team and I are instead focused on the human aspect: in particular which variables can cause people to be susceptible to phishing attacks, which is still not well understood.

It’s commonly thought and said that humans will always be the weakest link. I’d argue that when it comes to phishing, it’s not the people, it’s poor software design. My colleague, Danielle Lottridge, made an excellent analogy: the software we’re using is a lot like the early generation of cars – tall skinny wheels and a high centre of gravity, which made drivers vulnerable to flipping over. Over the decades, cars have got faster but also safer, providing the driver with more and more support to prevent them from having an accident. Similarly, software for processing emails needs to get better at protecting us, but to make the software better we first need to understand the end users better.

Some readers will know and others won’t that, for instance, you shouldn’t immediately trust an email that asks you to click on a link because it looks like the real deal. And one way to check is hovering the cursor over the URL to see where it is coming from. If, for instance, an email that purports to be coming from a New Zealand institution but links to somewhere in Canada, with .ca rather than .nz in the URL, it’s a scam. But even here, phishers are getting better and better at hiding themselves – using ‘I’ instead of an ‘L’ or two ‘l’s when there should be only one and so on.

We reviewed the available literature to propose a three-stage phishing susceptibility model (PSM).  But our research revealed, like all aspects of human personality – which intersects with life experiences, context, even the time of day – people’s response to phishing is complicated, and often unpredictable.

While research shows benefits from training, industry reports indicate that training is not effective enough to solve the problem. In fact, a recent study conducted an experiment in industry and found that simulated phishing training can make employees even more susceptible to phishing, perhaps from misunderstanding the training.

Users with more experience related to information technology and cyber security tend to spend more time and effort in checking email, but they too can get caught out. And once bitten doesn’t make everyone twice shy; falling for phishing once does not always make users less susceptible. We don’t and may never know why some people don’t learn from past mistakes, but we should try and find out.

What we do know: attention is compromised when we’re multi-tasking so be careful of unfamiliar emails when you’re trying to do more than one thing at once or not taking enough time to go from one task to another. Some studies have found younger users are more susceptible, others that older people are more susceptible, and people of different ages to seem to be susceptible to different types of phishing.

People are complicated, and phishers know this. In an ideal, or at least better world, we shouldn’t need to waste precious time checking email legitimacy because we use email to get work done, and don’t want to spend precious time checking the legitimacy of the dozens, if not hundreds of emails we receive.

Phishers are increasingly adept at understanding human nature so they can take advantage of us, but we need to better understand ourselves, to protect ourselves, and our digital information. Researchers in this area need to better understand the way we behave, to create technologies that take into account our vulnerabilities, to make our online world a safer place.