Spear phishing psychology

Many vulnerabilities exist in the mind. How to neutralize them.

When speaking about vulnerabilities, we generally mean coding errors and weaknesses in information systems. However, other vulnerabilities exist right in a potential victim’s head.

It’s not a question of lack of awareness or neglect of cybersecurity — the way to deal with those problems is more or less clear. No, it’s just that the user’s brain sometimes functions a little differently than IT security gurus would like, under the influence of social engineering.

Social engineering is essentially a fusion of sociology and psychology. It is a set of techniques for creating an environment that leads to a predetermined result. By playing on people’s fears, emotions, feelings, and reflexes, cybercriminals can gain access to useful information. And it is largely this “science” that lies at the heart of most of today’s targeted attacks.

Four main feelings that scammers prey on:

  • Curiosity
  • Pity
  • Fear
  • Greed

It wouldn’t be right to call them vulnerabilities; they are simply natural human emotions. Perhaps a more apt description would be “channels of influence” through which manipulators try to sway their victims, ideally in such a way that the brain is actuated automatically, without the application of critical thinking. To achieve this, cybercriminals have plenty of tricks up their sleeve. Sure, some ploys work better on some people than others. But we decided to take a look at a few of the most common, and explain exactly how they are used.

Respect for authority

This is one of the so-called cognitive biases — systematic patterns of deviation in behavior, perception, and thinking. It is rooted in the inclination to unquestioningly obey those with some degree of experience or power, ignoring one’s own judgments about the expediency of such action.

In practice, it might be a phishing e-mail supposedly from your boss. Naturally, if the message told you to film yourself twerking and send the video to ten friends, you might think twice. But if your supervisor is asking you to read some new project documentation, you might be more disposed to click on the attachment.

Time pressure

One of the most frequent psychological manipulation techniques is to create a sense of urgency. When making an informed, rational decision, it’s usually a good idea to examine the relevant information in detail. And that takes time. It is this precious commodity that scammers try to deny their victims.

Manipulators arouse fear (“An attempt was made to access your account. If this was not you, click this link immediately…”) or hunger for easy money (“Only the first ten clickers get the discount, don’t miss out…”). When the clock appears to be ticking, the probability of succumbing to instinct and making an emotional decision instead of a rational one is greatly increased.

Messages that shout “urgent” and “important” are in this category. Relevant words are often highlighted red, the color of danger, to heighten the effect.


In psychology, automatisms are actions taken without the direct involvement of the conscious mind. Automatisms can be primary (innate, not considered) or secondary (no longer considered, having passed through consciousness). Further still, automatisms are categorized as motor, speech, or mental.

Cybercriminals try to trigger automatisms when sending messages that in some recipients might produce an automatic response. These include “Failed to deliver e-mail, click to resend”-type messages, annoying newsletters with a temptingly large “Unsubscribe” button, and fake notifications about new comments in social networks. The reaction in this case is the result of secondary motor and mental automatisms.

Unexpected revelations

This is another, fairly common type of manipulation. It exploits the fact that information packaged as an honest admission is perceived less critically than if it were discovered independently.

In practice, this might be a message such as: “We regret to inform you that we have suffered a password leak. Please check to see if you are in the list of those affected.”

What to do

Perception distortions, which unfortunately play into the hands of cybercriminals, are biological. They appeared during the brain’s evolution to help us adapt to the world and save time and energy. In large part, the distortions arise out of a lack of critical-thinking skills, and many adaptations are ill-suited to modern realities. But never fear, manipulation can be resisted by knowing a bit about the human psyche, and following a few simple tips:

  1. Make it a rule to read messages from higher-ups with a critical eye. Why is your boss asking you to open a password-protected archive and sending the key in the same e-mail? Why would a manager with account access ask you to transfer money to a new partner? Why would anyone assign a nonstandard task by e-mail instead of by phone as usual? If something looks odd, clarify things using a different communication channel.
  2. Don’t react immediately to messages demanding urgent action. Stay cool, even if the content of the message has got you shaking. Be sure to check the sender, domain, and link before clicking anything. If still in doubt, get in touch with IT.
  3. If you notice a tendency on your part to automatically respond to some types of messages, try to run through your typical sequence of actions, but consciously. This can help to de-automatize your response — the key is to activate the conscious mind at the right moment.
  4. Remember our previous tips on how to avoid phishing bait:
  5. Use security solutions with reliable antiphishing technologies. Most intrusion attempts, in this case, will fall at the first hurdle.