Skip to content

Why we Keep Falling for Phishing

2 min read

It was revealed recently that Google block roughly 100 million phishing attacks on Gmail users every day. The types of phishing scams fall into three main categories: highly targeted but low-volume spear phishing aimed at distinct individuals, “boutique phishing” that targets only a few dozen people, and automated bulk phishing directed at thousands or hundreds of thousands of people.


At a briefing on Wednesday evening at the Black Hat Security Conference in Las Vegas, Google Security Researcher Elie Bursztein and University of Florida Security Professor Daniela Oliveira shared insights about the human factors that make us fall for such scams.

During the presentation Oliveira explained, “When we are in a good mood, our deception-detection accuracy tends to decline.” She cited research showing that increased levels of such feeling-good hormones as oxytocin, serotonin, and dopamine increase people’s risk-taking appetite. But a jump in cortisol levels associated with stress makes us warier.

Oliveira outlined three common persuasive tactics in phishing invitations:

1. Imitating a perceived authority (do you really want to ignore that urgent email from your boss?)

2. Offering financial gain/warning of financial loss

3. Appealing to the recipient’s emotions

But I'm OK because I have 2FA?

Not entirely. Prior Google research showed that SMS verification, one of the most commons forms of Two-Factor Authentication (2FA), can defeat larger-scale phishing but not the most targeted sort. While it worked against 96% of boutique phishing (targeting a few people) attempts, it only prevailed against 76% of highly targeted spear-phishing attacks. This is because advanced phishing pages ask the target users to enter a code texted to their phone, but then use that second credential to validate their account takeover before it expires.

What does this actually look like?

Watch the video of a demo phishing attack below, created by one of our technical experts, to help understand just how easy it can be.

HubSpot Video

Improve your resilience

The best way to combat this gap is to check the links that are being sent to you with vigilance. Bridgeway's technical expert and certified Ethical Hacker Martin Hodgson says: "There’s no doubt that phishing has significantly advanced over the years and because social engineering involves a human element, preventing these attacks can be tricky. I agree with Google that SMS verification is no silver bullet and can be quite easily bypassed. Technically, it’s not that difficult to carry out such an attack”

"End-user training remains a key factor and it’s vital that mobile security best practices be part of any cyber awareness programme. As humans, we behave quite differently interacting with these small devices. Most of us have our phones with us 24/7 and we’re often more distracted when we receive phishing messages on mobile, which makes us less likely to apply the correct security hygiene."

cyber security training offer



Latest Blogs

Visit the blog

Overcoming the Most Pressing Challenges CISOs Face Today

It’s no secret that CISOs have some of the toughest roles in any organisation, especially with the...

Read More

How to Calculate a Return on Investment (ROI) of Cyber Security

Cyber security is a minefield for many, not just in terms of its intricacies and ever-changing...

Read More

6 Ways Cyber Security Can Be Improved at Your Company

We know the old ways of working, well, don’t work — and they call for innovative, forward-thinking...

Read More

7 Business Growth Benefits of Cyber Security You Should Know

All organisations understand that cyber security is now an essential expense, helping companies cut...

Read More

The Pros and Cons of a Cost-Benefit Analysis Approach to Cyber Security

The cost-benefit analysis approach to cyber security is perhaps the most popular in helping prove...

Read More

Let's Talk

Get on a first-name basis with the Bridgeway team. Let’s chat about your organisational objectives and any critical cyber security concerns you need to cover.

Let's talk