The
Psychology
of
Phishing
Scams
We
all
get
unwanted
email,
referred
to
as
spam,
but
why
so
much?
Does
anyone
really
fall
for
these
obvious
scams?
Even
as
we
ask
these
questions,
a
small
voice
inside
our
heads
repeats
a
common
retort,
“If
spam
wasn’t
making
money
for
someone,
would
it
continue
to
be
sent?”
Let’s
start
by
defining
spam
to
make
sure
we
are
all
on
the
same
page:
Spam
is
the
use
of
electronic
messaging
systems
(including
most
broadcast
and
digital
media)
to
send
unsolicited
bulk
messages
indiscriminately.
That’s
exactly
what
we
all
receive:
a
lot
of
unsolicited
messages.
To
get
your
attention
and
confirm
your
suspicions
about
the
magnitude
of
the
spam
epidemic,
I’ll
quote
a
few
facts
from
the
MessageLabs
Intelligence
Report
issued
by
the
security
firm
Symantec:
•
•
95.1
billion
spam
emails
will
have
been
sent
in
2010
89
percent
of
all
emails
sent
are
spam
Can
any
of
us
look
at
these
numbers
and
not
be
blown
away?
Think
about
it.
More
than
95
billion
spam
emails
were
sent
in
2010
–
260
million
every
day
–
and
90
percent
of
them
were
designed
to
separate
you
from
your
hard‐earned
money.
As
with
every
ecosystem
of
this
magnitude,
there’s
a
complex
support
structure
and
a
pecking
order
within
it.
At
the
bottom
are
emails
that
promise
cheap
performance‐enhancing
drugs
and
other
scams
that
entice
you
with
semi‐legitimate
deals.
At
the
top
are
phishing
scams
that
would
make
a
New
York
marketing
firm
cry
from
envy
at
their
elegance.
Let’s
define
phishing,
as
well:
Phishing
is
a
way
of
attempting
to
acquire
information,
such
as
usernames,
passwords
and
credit
card
details,
by
masquerading
as
a
trustworthy
entity
in
an
electronic
communication.
As
you’ll
see,
the
keyword
here
is
trustworthy.
Unlike
most
spam,
phishing
is
done
through
an
electronic
relationship
that
gains
your
confidence
and
promises
you
a
legitimate
benefit
if
you
comply.
I
have
spent
a
fair
amount
of
time
reading
about
phishing
and
threading
through
the
phishing
emails
I
receive.
Fortunately,
the
MessageLabs
Intelligence
Report
indicates
that
only
one
in
444.5
emails
contain
phishing
scams.
The
following
notes
first
present
a
few
examples
of
phishing
emails
that
I
found
particularly
compelling,
followed
with
several
extractions
from
papers
written
on
the
psychology
of
phishing.
Phishing
Example
#1
From:
"Bank
Of
America
Alert"<[email protected]>
Date:
November
30,
2011
10:47:57
PM
EST
Subject:
Security
Alert:
Your
Online
Banking
Has
Been
Blocked
Note
the
seemingly
legitimate
email
address.
Your Online Banking Has Been Blocked
Note
the
sense
of
urgency.
Dear Customer,
Due to concerns, for the safety and integrity of the Bank of America we have
issued this warning message.
It has come to our attention that your Bank of America account information
needs to be updated as part of our continuing commitment to protect your
account and to reduce the instance of fraud on our website. If you could please
take 5-10 minutes out of your online banking experience and update your
personal records you will not run into any future problems with the online
service.
This
URL
actually
goes
to
http://193.203.205.226/~fitclub/wp‐content/themes/yaml/core/index.html,
but
looks
legitimate
on
the
surface.
To start the update now click https://www.bankofamerica.com
This is required for us to continue to offer you a safe and risk free environment.
However, failure to do so may result in temporary account suspension. Please
understand that this is a security measure intended to help protect you and your
account. We apologize for any inconvenience.
Thanks for your co-operation.
Accounts Management as outlined in our User Agreement, Bank of America will
periodically send you information about site changes and enhancements.
Security Checkpoint: This email includes a Security Checkpoint. The information in this section lets
you know this is an authentic communication from Bank of America. Remember to look for your
SiteKey every time you sign in to Online Banking.
Nice
touch.
Means
nothing,
but
adds
confidence.
Bank of America Email, 8th Floor-NC1-002-08-25, 101 South Tryon St.,
Charlotte, NC 28255-0001
Bank of America, N.A. Member FDIC. Equal Housing Lender
© 2011 Bank of America Corporation. All rights reserved.
This
URL
goes
to
an
actual
BoA
web
page.
How
this
scam
operates:
This
email
was
sent
to
millions
of
random
consumers
(a
simple
phishing
attack)
or
to
known
Bank
of
America
clients
(a
spear
phishing
attack).
In
either
case,
a
click
on
the
update
link
will
send
the
consumer
to
a
legitimate‐looking,
but
fake,
Bank
of
America
‘update’
page
where
the
consumer
will
be
asked
to
enter
bank
numbers
and
PINs.
Once
collected,
this
information
is
used
to
access
the
account
and
transfer
funds
to
the
hackers.
At
the
end
of
the
collection,
the
consumer
will
be
assured
his
account
has
been
reactivated.
Phishing
Example
#2
The
domain
gooplaces.info
is
used
throughout.
Most
people
will
miss
the
fact
that
it
is
fake.
From:
"Google
Places
Registrations"
<[email protected]>
Date:
November
29,
2011
11:10:08
AM
EST
To:
[email protected]
Subject:
only
1
day
left
to
list
your
business
on
first
page
of
Google
Places
for
your
city
Reply‐To:
[email protected]
Google Places
Note
the
sense
of
urgency.
24 Hours Left! to list your business
Warning! after 24 hours we are no longer accepting anymore business for 1st page listing
Google receives millions of clicks every month from people looking for products and services online. (list
your business now)
These searches range from attorneys to vehicles, only those businesses showing on the first page of Google
are the ones who people contact and conduct business with.
(list your business now)
Today we want to select only 2 businesses of each category to display on the first page of Google Places in
your city.
If you want to see your business on the first page of Google Places for your city, you must register now.
There is only 24 hours left to register. In 24 hours we will no longer accept any more businesses.
if you want to be the first to register please list your business here.
This
is
the
real
logo
from
Google
Places.
List your business today, never any clicks or monthly fees, receive unlimited traffic to your website, this is a
lifetime listing.
This email was sent to [email protected], click here to unsubscribe.
goolocalplaces.com
po box 0225, mIami, florida | E-mail: [email protected]
COPYRIGHT 2011. goolocalplaces.com.
ALL RIGHTS RESERVED.
How
this
scam
operates:
This
email
was
sent
to
millions
of
consumers,
some
of
who
own
businesses
that
have
recently
heard
of
the
very
desirable
Google
Places
feature.
Most
people
will
not
pick
up
on
the
misspelled
domain
(goolocalplaces),
a
poor
derivative
of
Google
Local
Places.
When
the
registration
link
is
clicked,
the
business
owner
will
be
asked
to
enter
his
or
her
business
information
(perhaps
a
lengthy
process,
so
the
user
hates
to
stop
once
it’s
started)
with
a
small
fee
charged
at
the
end.
The
entered
credit
card
information
will
be
sold
on
the
cyber‐crime
market
within
hours
of
its
collection.
The
consumer
will
believe
he
has
just
improved
the
social
networking
viability
of
his
business.
Phishing
Example
#3
From:
"Mailbox
Administrator"<[email protected]>
Date:
November
14,
2011
8:40:13
PM
EST
To:
undisclosed‐recipients:
Subject:
Your
Mailbox
Has
Exceeded
It
Quota/Limit®
Note
the
sense
of
urgency.
Your Mailbox Has Exceeded Its Quota/Limit As Set By Your Administrator, And You May Not Be Able To
Send Or Receive New EMails Until You Re-Validate It. To Re-Validate, Please CLICK: Re-Validate Your
Mailbox
Clicking
this
link
will
display
the
web
page
seen
below.
Note
the
odd
URL
that
the
link
takes
you
to:
http://test3.3dnet.rs/images/index.php
All
the
page
wants
is
your
email
address
and
password.
How
this
scam
operates:
This
phish
is
the
slickest
of
the
three.
Who
among
us
doesn’t
worry
about
running
out
of
email
space
–
perhaps
missing
emails
and
images
from
friends
and
relatives?
And
what
could
be
more
benign
than
just
entering
our
email
address
and
password
–
doesn’t
the
email
provider
have
that
information
already
anyway?
The
scam
is
the
collection
of
email
addresses.
The
scam
makes
use
of
the
fact
that
more
31
percent
of
all
users
reuse
their
password
for
all
of
their
accounts.
This
would
indicate
one‐third
of
the
username/password
combinations
collected
by
this
scam
might
be
valid
at
other
websites
frequented
by
the
user
(e.g.,
PayPal,
eBay,
Schwab).
The
hacker
will
try
this
username/password
combination,
along
with
thousands
of
others,
on
any
website
that
might
provide
a
profit.
Digging
into
the
Psychology
of
Phishing
Why
does
phishing
work?
As
noted
above,
phishing
scams
work
because
they
are
presented
in
a
form
that
engenders
trust
in
the
consumer.
The
creators
of
these
scams
are
clever,
patient
people
who
have
turned
phishing
into
a
well‐studied
science.
Think
about
the
ultimate
psychology
test
lab
–
access
to
millions
of
test
subjects
where
literally
hundreds
of
scams
can
be
tried
and
tested,
with
tens
of
thousands
of
subjects
in
each
trial.
A
single
trial
will
result
in
information
as
to
who
opened
the
phishing
email,
who
clicked
on
the
embedded
links,
who
fell
for
the
scam
or
who
aborted
at
the
final
moment.
The
hacker
can
tweak
the
trial
and
try
again,
with
each
trial
generating
cash
as
well
as
additional
knowledge
about
the
psychology
of
consumers.
After
a
few
years,
the
phishing
artist
understands
the
psychology
of
phishing
far
better
than
any
PhD
candidate
working
with
college
students
as
test
subjects.
Several
good
papers
have
been
written
on
this
fascinating
subject.
Below,
I’ve
researched
two
of
them
and
extracted
the
sections
I
found
most
interesting
and
relevant
to
the
examples
above.
Paper:
Some
Psychological
Factors
of
Successful
Phishing
By:
Don
Mosley,
Graduate
Student
in
Information
Security,
East
Carolina
University
Reference
URL:
(http://www.infosecwriters.com/text_resources/pdf/Phishing_DMosley.pdf)
A
great
definition
of
the
origin
of
phishing
referenced
in
Mosley’s
paper
reads:
“The
word
'phishing'
originally
comes
from
the
analogy
that
early
Internet
criminals
used
email
lures
to
'phish'
for
passwords
and
financial
data
from
a
sea
of
Internet
users.
The
use
of
'ph'
in
the
terminology
is
partly
lost
in
the
annals
of
time,
but
most
likely
linked
to
popular
hacker
naming
conventions
such
as
'Phreaks'
which
traces
back
to
early
hackers
who
were
involved
in
'phreaking'
–
the
hacking
of
telephone
systems.”
(Gunter
Ollmann,
“The
Phishing
Guide”,
NGSSoftware
Insight
Security
Research,
9
Sept.
2004)
Mosley
offers
several
thoughts
on
why
people
fall
for
phishing.
I
found
the
following
three
to
be
well
worth
repeating.
1. Trust
of
authority
Our
society
has
been
built
up
since
the
dawn
of
humanity
to
trust,
obey
and
follow
some
type
of
authority
figure,
whether
it
be
a
god,
a
strong
alpha
male,
parents,
the
school
principal,
a
rock
star
or
a
political
leader.
Obedience
to
commands
occurs
almost
at
the
genetic
level.
If
you
receive
a
personal
email
purported
to
come
from
Bank
of
America
questioning
the
validity
of
your
account
data,
you
will
have
a
strong
compulsion
to
respond,
and
respond
quickly.
The
email
in
Example
#1
above
demonstrates
an
attempt
to
declare
itself
an
authority
(a
bank)
as
the
reason
for
the
consumer
to
trust
the
institution
and,
by
extension,
the
email.
The
call
to
link
to
the
update
page
and
enter
Bank
of
America
credentials
in
order
to
fix
a
banking
problem
seems
more
like
a
service
to
the
consumer
than
a
scam.
The
use
of
the
Bank
of
America
logo,
Security
Checkpoint
graphics
and
the
legitimate
office
and
email
addresses
almost
screams,
“Trust
me
–
I
am
in
charge
of
your
financial
future.”
2. Text
and
graphics
lack
traditional
clues
of
validity
Our
socio‐economic
culture
has
given
us
certain
modes
of
discrimination
regarding
the
validity
of
business
institutions.
We
don't
hesitate
to
deposit
our
paycheck
at
the
corner
bank
because
it's
been
there
for
years,
our
parents
deposited
checks
there
and
it
“looks”
like
a
bank.
Without
clues
from
the
verbal
and
physical
realms,
our
ability
to
determine
the
validity
of
business
transactions
is
diminished.
While
the
emails
in
Examples
#1
and
#2
cannot
provide
these
verbal
and
physical
realms,
they
do
try
to
relate
to
institutions
we
already
feel
confidence
in
with
various
clues
embedded
in
the
emails.
Unless
one
looks
closely,
the
Bank
of
America
email
looks
perfectly
legitimate,
as
does
the
corresponding
update
web
page.
The
Bank
of
America
logo,
email
address
and
physical
office
address
all
add
to
this
illusion
of
validity.
The
Google
Places
email,
while
not
as
solidly
legitimate
as
the
Bank
of
America
email,
presents
the
well‐
known
multi‐colored
Google
logo
as
its
strongest
tie
to
the
real
Google.
3. Clues
to
the
fraudulent
nature
of
phishing
scams
are
often
below
the
threshold
of
the
average
recipient
Prior
to
the
Internet,
the
typical
scam
or
swindle
scenario
involved
face‐to‐face
or
verbal
interaction
between
swindler
and
victim.
“Hey
buddy
–
want
to
buy
a
Rolex?”
“Ma'am,
I
was
driving
through
your
neighborhood
and
noticed
that
your
shingles
were
about
to
blow
off.”
With
careful
attention
to
the
peripheral
clues
present
in
the
details
surrounding
the
transaction,
the
victim
has
a
much
greater
chance
of
recognizing
and
avoiding
the
swindle.
Is
the
“roofer”
driving
a
car
with
no
ladders
or
roofing
materials?
Why
is
the
cheap
Rolex
watch
not
actually
ticking?
The
clues
that
can
be
gleaned
from
a
typical
phishing
email
tend
to
be
of
a
technical
nature
that
might
not
be
obvious
to
the
average
email
user.
A
user
is
going
to
look
at
the
tag
of
an
embedded
link
in
a
message
instead
of
the
browser's
address
bar
after
he
clicks
the
link.
To
the
untrained
or
unobservant
consumer,
each
of
the
three
example
emails
does
not
seem
to
contain
any
blatantly
fraudulent
indicators.
If
one
were
to
step
back
and
carefully
consider
each
of
these,
however,
many
possible
questions
might
arise:
1. Why
is
Bank
of
America
asking
me
for
my
account
information
–
shouldn’t
they
know
this
already?
2. Why
isn’t
my
name
on
the
email?
(Note
that
on
a
spear
phishing
attack,
it
would
be.)
3. The
Bank
of
America
update
URL
seems
correct,
until
you
look
to
see
where
it
really
takes
you.
4. The
Bank
of
America
Security
Checkpoint
section
just
seems
like
the
email
is
trying
too
hard
to
convince
me
it
is
legitimate.
5. Why
is
Google
Places
spelled
so
poorly?
6. Why
would
Google
limit
this
offer
to
only
two
businesses
in
each
category?
7. Does
Google
charge
anyone
for
anything?
Why
would
they
start
now?
8. Shouldn’t
my
email
vendor
already
know
my
email
name
and
password?
In
the
rush
of
our
daily
lives
and
the
majority
of
the
population
only
superficially
technical,
these
questions
won’t
be
asked,
and
the
average
consumer
will
continue
to
be
a
prime
phishing
target.
Paper:
Social
Engineering
&
“Influence”
by
Dr.
Cialdini
By:
K
K
Mookhey
Reference
URL:
http://niiconsulting.com/checkmate/2010/06/03/social‐engineering‐influence‐by‐
dr‐cialdini/
This
excellent
post
by
Mookhey
takes
the
influences
described
in
Dr.
Cialdini’s
book,
“Influence,”
and
relates
these
to
the
psychology
of
phishing.
While
the
entire
post
is
good
reading,
I
found
the
Mookhey’s
notes
on
scarcity
to
be
particularly
relevant
to
our
email
examples:
Dr.
Cialdini
on
scarcity:
Collectors
of
everything
from
baseball
cards
to
antiques
are
keenly
aware
of
the
influence
of
the
scarcity
principle
in
determining
the
worth
of
an
item.
Mookhey
as
it
relates
to
phishing:
One
of
the
most
common
tactics
is
to
build
time
pressure.
The
scarcity
of
time
often
makes
people
comply
with
requests
in
violation
of
their
policies
and
their
own
common
sense.
In
each
of
the
phishing
examples
above,
we
see
the
scarcity
of
time
and
the
sense
of
urgency
to
be
an
implicit
or
explicit
driver
to
consumer
action.
Let’s
take
a
look
at
a
few
of
the
lines
in
these
example
emails
that
are
obvious
scarcity
drivers:
1. Example
1:
If
you
could
please
take
5‐10
minutes
out
of
your
online
banking
experience
and
update
your
personal
records,
you
will
not
run
into
any
future
problems
with
the
online
service
2. Example
1:
Failure
to
do
so
may
result
in
temporary
account
suspension
3. Example
2:
Subject:
only
1
day
left
to
list
your
business
on
first
page
of
Google
Places
for
your
city
4. Example
2:
24
Hours
Left!
to
list
your
business
5. Example
2:
after
24
hours
we
are
no
longer
accepting
anymore
business
for
1st
page
listing
Example
3:
Subject:
Your
Mailbox
Has
Exceeded
Its
Quota/Limit
6. Example
3:
And
You
May
Not
Be
Able
To
Send
Or
Receive
New
EMails
Until
You
Re‐Validate
It
Looking
at
these
scarcity
drivers,
one
can
only
get
the
sense
that
the
best
course
of
action
is
to
act
immediately
or
lose
access
to
your
bank
account,
miss
a
great
Google
opportunity
or
risk
the
loss
of
personal
emails
–
any
of
which
might
cause
personal
hardship.
Conclusion
Phishing
artists
are
very
good
–
they
have
the
ultimate
test
lab
(the
world’s
population)
to
hone
their
skills,
with
millions
of
dollars
at
stake.
Phishing
attacks
are
usually
orchestrated
in
countries
with
little
or
no
fear
of
prosecution;
therefore,
there
is
no
downside
of
being
a
phishing
hacker.
The
technology
behind
phishing
has
evolved
to
the
point
where
a
phishing
hacker
will
run
his
botnet
(a
collection
of
compromised
computers
connected
to
the
Internet)
from
the
comfort
of
his
home,
with
the
actual
command
and
control
computers
possibly
located
in
distant
countries.
The
spoils
of
phishing
(i.e.,
credits
card
numbers,
bank
account
information,
email
addresses
and
passwords)
are
sold
on
a
thriving
cyber
black
market,
again
with
little
concern
of
being
caught
and
prosecuted.
The
three
examples
of
phishing
attacks
above
are
just
a
few
of
literally
thousands
of
attack
variations,
each
of
which
might
take
many
forms.
Again,
for
a
reference
of
the
magnitude
of
the
phishing
problem,
keep
in
mind
that
there
were
more
than
235
million
phishing
emails
sent
in
2010.
Phishing
will
be
with
us
for
many
years
to
come,
primarily
targeted
at
the
consumer,
the
one
group
least
likely
to
understand
and
avoid
phishing.
By
Alan
Wlasuk
WDDinc
Indianapolis,
Ind.
[email protected]
www.WDDinc.com