20 Nov 2020

Anyone can fall for an email phishing scam, but what makes someone more susceptible?

Anyone can fall for an email phishing scam, but what makes someone more susceptible than others? Research from the University of Auckland has unpicked this question.  

“There’s this notion that people who click on links or fall for phishing scams are gullible or dumb, but our research shows that there are many other factors at play,” says researcher Jacinda Murphy, who is also a Westpac Manager of Cyber & Technology Risk. 

Phishing is the attempt by fraudsters to disguise themselves as reputable companies via email in order to gain personal information from individuals – such as credit card details or passwords.  

Murphy published her Master's Thesis Gone Phishing: Understanding the factors that affect cyber security behaviours in a phishing email simulation in a financial institution this year with The University of Auckland’s School of Psychology.

The slices of cheese represent the person’s defences and the holes represent weaknesses in the defences

She used the ‘Swiss Cheese Model’ to show that anyone can be susceptible if their defences aren’t working well.  

“The slices of cheese represent the person’s defences and the holes represent weaknesses in the defences.  

“For example, one defence may be having a secure email gateway which is supposed to filter out phishing emails before they even get to people. If the phishing emails are blocked at the gate, the intended recipients can’t reply to the emails with personal information or click on dodgy links or attachments. The defence is strong. 

“But we may see weaknesses in this defence if the filters or rules that are in place aren’t able to correctly identify the emails as phishing. The phishing emails will then pass through, into the recipient’s inbox,” Murphy said. 

The cyber risk expert says that phishing education and simulation-based training was shown to decrease the likelihood of individual’s clicking on links, and importantly, training also increased the likelihood that individual’s would report the phishing emails. 

At Westpac, we have a phishing inbox where employees and customers can send suspicious-looking emails. 

“It is so important to have a good culture around reporting suspicious-looking emails, especially if the individual has engaged with the email by clicking on any links or sharing information. If people are embarrassed, they won’t report or admit that they have been phished. We need to make it OK for people to own up to these mistakes so our security professionals can quickly assess the situation and mitigate any further impact,” she said. 


Psychology of phishing scams  

Murphy said the brain operates using two different systems as described in Daniel Kahneman’s book, Thinking, Fast and Slow.  

“The first system is heuristics-based. This is where we rely on our intuition and make impulsive decisions without conscious deliberation,” she said.  

“The second is systematic, which is a slow, controlled, and thoughtful style of thinking where reason dominates.  

“We work a lot in system one which helps us to function in our busy, complex environments but it can become a problem in instances like receiving a phishing email. How many of us slow down and work consciously through our emails? We’re usually trying to action them as quickly as possible. 

Murphy said factors like a high workload, being stressed and/or distracted are all factors that can lend themselves towards a system one style of thinking.   

“This can present weaknesses in our defences and can change the way we behave in our environments. If we’re busy, we may prefer to check emails on the go using our mobile devices. Unfortunately, with mobile, we can’t immediately see the sender’s email address and the sender name can be customised to appear legitimate. It takes us longer to click in to check the details of the sender’s address which may deter people from doing it, or we may forget to check at all,” she said.  


Tips to avoid phishing scams   

  • We are in control of how we design our environments, and our design choices should be intentional to help us make better decisions.  We can set up flags and rules in our email clients to create notifications of emails coming through from people we don’t know, or emails that have attachments.   
  • Understand how your brain operates. If you’re distracted and stressed, come back to the emails later, instead of clicking away when you could be more susceptible.  
  • Learn more about the types of scams out there and how scammers can take information from you and your devices. CERT NZ are a great resource for getting information on the latest scams, reporting cyber security problems, and viewing practical guidance on how to keep your information safe and secure online. 


Current phishing scams and their method  

  •  DHL-themed phishing emails claim to be for package tracking and personal information validation.   
  •  NZTA-themed emails ask people to click on a link to renew their license.   
  •  Paypal-themed emails ask people to click through due to unauthorised activity on a card associated with their account.   
  •  TradeMe-themed emails ask people to click on a link as their membership has been suspended.   
  •  IRD-themed phishing emails encourage people to click to claim their tax refunds.