It was revealed recently that Google block roughly 100 million phishing attacks on Gmail users every day. The types of phishing scams fall into three main categories: highly targeted but low-volume spear phishing aimed at distinct individuals, “boutique phishing” that targets only a few dozen people, and automated bulk phishing directed at thousands or hundreds of thousands of people.
At a briefing on Wednesday evening at the Black Hat Security Conference in Las Vegas, Google Security Researcher Elie Bursztein and University of Florida Security Professor Daniela Oliveira shared insights about the human factors that make us fall for such scams.
During the presentation Oliveira explained, “When we are in a good mood, our deception-detection accuracy tends to decline.” She cited research showing that increased levels of such feeling-good hormones as oxytocin, serotonin, and dopamine increase people’s risk-taking appetite. But a jump in cortisol levels associated with stress makes us warier.
Oliveira outlined three common persuasive tactics in phishing invitations:
1. Imitating a perceived authority (do you really want to ignore that urgent email from your boss?)
2. Offering financial gain/warning of financial loss
3. Appealing to the recipient’s emotions
But I'm OK because I have 2FA?
Not entirely. Prior Google research showed that SMS verification, one of the most commons forms of Two-Factor Authentication (2FA), can defeat larger-scale phishing but not the most targeted sort. While it worked against 96% of boutique phishing (targeting a few people) attempts, it only prevailed against 76% of highly targeted spear-phishing attacks. This is because advanced phishing pages ask the target users to enter a code texted to their phone, but then use that second credential to validate their account takeover before it expires.
What does this actually look like?
Watch the video of a demo phishing attack below, created by one of our technical experts, to help understand just how easy it can be.
Improve your resilience
The best way to combat this gap is to check the links that are being sent to you with vigilance. Bridgeway's technical expert and certified Ethical Hacker Martin Hodgson says: "There’s no doubt that phishing has significantly advanced over the years and because social engineering involves a human element, preventing these attacks can be tricky. I agree with Google that SMS verification is no silver bullet and can be quite easily bypassed. Technically, it’s not that difficult to carry out such an attack”
"End-user training remains a key factor and it’s vital that mobile security best practices be part of any cyber awareness programme. As humans, we behave quite differently interacting with these small devices. Most of us have our phones with us 24/7 and we’re often more distracted when we receive phishing messages on mobile, which makes us less likely to apply the correct security hygiene."