I received a note last week from Marco Van den Berg, CIO of the International Rice Research Institute. Marco had read my article on the most common types of phishing messages and suggested. He thought it would be more useful to describe different kinds of phishing in relation to what emotional triggers they employ.
I liked the idea and will do that here today. Thank you, Marco!
Emotional Triggers are Key to Influencing Behavior
I talk a lot about emotional triggers when I conduct anti-phish training. Why? Because manipulating emotions is a key element in encouraging behavior change. Here are a few examples.
- When our high school varsity football coach approached me and said he was hoping he could count on me to join the team, I was flattered and immediately agreed. How would I have felt if I had known that he approached every senior in our class with that request?
- When the local pest extermination company came to the door to interest me in a subscription, they mentioned that they were talking with “a few of [my] neighbors”. Why did that matter?
- You have no doubt seen some of the clickbait at the bottom of “free” internet news sites. On CNN today, I can see “41 Old Toys That Are Worth More Than Your House” or “The Celebrities Who Have Been Banned for Life from SNL.” What is the emotional trigger here?
Why Emotions Matter
What is it about emotions? Allow me to condense a crap-ton of brain science and psychology into a sentence or two. We like to think that we use the analytic and rational side of our brain when we make decisions. You know: lay out the alternatives, consider the strengths and weaknesses of each. Then decide based on the alternative that has the highest net positive result.
Not so fast. It turns out that we are as likely to decide on an emotional basis. Then we use our analytic brain to justify the decision after the fact. “If I buy the Tesla, I can pretend I am part of the Silicon Valley glitterati!” That is what my emotional brain says. My rational brain talks about my cost per mile to operate an electric vs. gas-powered vehicle.
The Seven Deadly Emotional Triggers
A little truth here. There may not be seven deadly emotional triggers. I can think of at least four. But hey, it’s a catchy title.
Taking the gold (sorry, bad Olympics reference) today is greed. This happened. To CGNET. Today. And someone got phished. Yes, even the experts can fall prey.
On behalf of XXX Foundation, you are invited to submit a proposal for the scope of work outlined in this request. All RFP documents are provided in the link below.
See the RFP document for detailed information: <malicious link>
Be advised that the link will expire after 3 days. Please download files immediately.
This document contains information of a confidential nature and as such the link is hereby encrypted and safe
When someone clicked on the link, they were taken to a page that looked like a Microsoft 365 sign-in page. They were asked to provide their username and password. Which they did. Then the page returned a “bad password” error. Which it wasn’t. Meanwhile, the fraudsters just got someone’s login credentials.
Urgency aka Fear of Missing Out
What is the other emotional trigger at work here? The creation of urgency. “We have to respond in three days!” Have you ever responded to a “one left at this price!” message? Then you understand how creating a sense of urgency is designed to get you to act.
It seems we all have a fear of missing out (FOMO if you want to be hip). So, we panic-buy SPAM and dried pasta when the pandemic hits. We raise our bid at auction. We click the “buy now!” link because hey, these steak knives might never be on sale again!
Unfortunately, the delivery of your <Costco order> was canceled since the specified address of the recipient was not correct. Please fill out this form (link to malicious site) and send it back with your reply to us.
Maybe you placed an order, maybe you didn’t. Who can keep track?
Ah, fear. This may be the king/queen of emotional triggers. Dread might be a better word. Your account has been suspended. Pay the IRS now or they will send the sheriff to arrest you. I used your camera to record you looking at porn all day. There are many examples.
Click here (malicious URL) to verify your <organization> email address. Otherwise, we will have to suspend your account.
Of course, you click and get taken to a fake site where you provide your username and password. Then… poof.
Sometimes we just want to know. Here are some ways this emotional trigger plays out.
I used Dropbox to share a file with you. For security purposes you would be required to sign into your email address to view. Click link here to view.
Of course, the link doesn’t take you to a legitimate Dropbox sign-in page.
Please go through the attached document on safety measures regarding the spreading of corona virus.
If you got that message and it appeared to be from the World Health Organization, you might be tempted to open it.
Desire to Help
Can we agree that we all want to help others if we can? Of course. Even if the request is coming from a work colleague I haven’t seen in five years. But, hey, the email says Frank is in trouble in London and desperately needs money for bail. Or a medical procedure; I can’t remember.
Sometimes the emotional trigger is combined with another, like fear. This message says that my child is stuck at the border in some country and needs money right away.
And one of the classic scams combines greed and the desire to help. You get to pick your favorite emotional trigger! Or maybe, you get to respond to one emotional trigger and use the other to justify your actions. Yes, I’m talking about the scams that promise you “$2,880,000 million dollars”. “Hey, if I can help them out and make a few million in the process, what’s wrong with that?”
How Not to Get Played by Your Emotions
We are emotional beings; we are not Vulcans. So, we need to recognize that phishers will try to use our emotional triggers against us. If we suspect we are getting played, it will help if we can stop, look, and listen.
- Stop taking further action. Don’t buy those gift cards just yet. Take a pause.
- Look objectively at what we are being asked to do. Does this request seem strange? Have I been asked before to do this thing, in this way?
- Listen to how you are proposing to respond. Does it make sense when you say it out loud? Would it make sense if your friend described it to you?
That Sum of $2,880,000 Million Dollars
A final note on that “$2,880,000 million dollars”. I was being told that the Biden Administration was going to grant me that amount for COVID relief. I just had to confirm to Fake Federal Reserve Guy that I was interested.
- So, I asked him to tell me more.
- Then I asked him if he really meant to send me $2.8 trillion [$2.8 million million]. He did not.
- Then I asked him if the amount was taxable.
- Next I asked him why I needed to pay for insurance on the transaction. The insurance was described as necessary to make sure nothing was taxed. But he had just said I wasn’t going to be taxed. So why did I need to pay for it?
At this point, Fake Federal Reserve Guy was exasperated. He asked me to stop asking questions and get on with selecting which payment method I preferred.
I am considering the Bitcoin ATM card.