Most people are aware of what constitutes a phishing scam even if they haven't been confronted by one themselves. You receive an email from what appears to be from a legitimate business (your bank, for example) and are persuaded to click through to a spoof website. There you are tricked into entering sensitive personal data - account details, passwords - even credit card numbers. But how do the phishers manage to pull this off? It's not all down to the sophisticated "look and feel" of a fake email or website. The truth is that most phishing emails also employ simple psychological triggers in an attempt to make the victim compliant.
Hope, greed and vanity People like to feel special and people like winning things. Phishers know this and many a victim has been snared by the "award" of some freak prize or lottery payout. Nothing piques the interest quite like the prospect of massive financial gain. Of course, these days most people realise that they are unlikely to be notified of a 20 million dollar windfall via email.
So instead many phishers have begun to tempt people with more credible bait - smaller sums of money, ipods, or increasingly the kind of freebies that appeal to the victim's sense of vanity, such as a free account upgrade which is exclusive to "only the best and most trusted customers". These tactics are made all the more dangerous when combined with the other triggers such as. Urgency Phishers don't want their victims to dwell too much on their handiwork.
The spammy nature of the links, spelling errors and grammatical incompetence invariably become obvious upon closer inspection. For this reason, a phishing email will usually urge an instantaneous response. There are only 5 ipods left, the offer for the free upgrade expires within an hour, the 20 million dollars will be given to charity unless there is immediate action. The small adrenaline rush that this pressure creates can often be enough for a victim to let down their guard.
Fear Logic is easily neutralised by basic instincts like greed and fear. So phishers will often resort to explicit threats which shut down the naturally suspicious part of the victim's brain. Traditionally this may involve a warning that the a personal account has been accessed without authorization. There have also been examples of emails apparently sent from law enforcement agencies regarding illegal activity on the part of the victim. In essence the psychological pressures used by the phishers are no different to those favoured by marketers the world over. In many ways the phisher is the email marketer's evil twin.
It's just that one wants you to click and buy, whilst the other wants you to click and sign your life away. Before you do so, take a walk outside and clear your head.
Matt Davies runs a Spanish website which gives free advice about credit cards and avoiding fraud online -Tarjetas de Credito