In real life, there are a lot of times we love the element of surprise. It could be that shocking twist at the end of a movie that changes everything; the last minute upset that puts our favorite team ahead in the ninth inning; or an unexpected birthday gift that we never saw coming. But in the online world, we don’t anticipate surprises; we want everything working just as it should, every time—and we expect it to. That’s just what phishers are counting on when executing phishing scams; phishing works by taking people by surprise.
The Element of Surprise and Why Phishing Works
Users often fall victim to phishing attacks not because they’re uneducated or lazy—quite the opposite. Most already know about phishing but are focused on being productive; they’re not expecting to be phished. It’s estimated that over 150 million phishing emails are sent every day, so even if someone successfully avoids one phishing scam, another will soon be on its way. “We can't expect users to remain vigilant all the time…” says Kate R of the National Cyber Security Center. “Being aware of the threat from phishes whilst at your desk is hard enough. But phishing can happen anywhere and anytime, and people respond to emails on their phones and tablets, and outside core hours. Clicks happen.”
Phishers count on this. Here are four examples of how phishing works by taking people by surprise:
Long links are an eyesore, which led to the creation of link shortening tools like Bitly. But link shortening masks the domain name, so phishers take advantage of this and insert them into emails and even social media posts, catching people off-guard with malware. Read more about shortened URLs: Beware of Shortened URLs in Phishing Scams
Even if they continue to fall for them, most people are aware of email phishing attacks. Where they’re not expecting to be phished is in communication channels such as Slack. But phishers have been known to find vulnerabilities in these channels, exploit them, and hook people in a channel they thought was safe. Read more about Slack attacks: Slack: Phishing Attacks Go Beyond Just Emails.
Business Email Compromise phishing, or BEC, targets lower-level employees who by pretending to be a member of the executive team and requesting money transfers or sensitive information. Most people don’t want to question the higher-ups, so they oblige. Then, Surprise! The request didn’t come from a superior at all, but rather a very sneaky phisher. Read more about BEC: 3 Essential Things You Need to Know About a BEC Attack.
Many people are responding to dozens of emails per day, so when they receive an “urgent request” (whether it’s from a vendor, an account, or even UPS) it takes them by surprise and they tend to click on the link without thinking. Read more about urgent notifications: 4 Tips for How to Identify Phishing Emails.
Eliminating the Element of Surprise to Combat Phishing Scams
Surprise attacks in real life have proven all too successful, leaving devastation in their wake and costing companies billions of dollars. One way to combat phishers, and remove the element of surprise, is with anti-phishing software such as Clearedin.
Clearedin knows how phishing works; it analyzes emails and links, red-flagging and locking those that are deemed suspicious. It informs recipients of the reasons for the notification, so they can determine whether they want to unlock it or not. By red-flagging the email and stating why, it gives them pause—a “speed bump,” so to speak—that gets them to think about what they’re doing before they do it. This quick interruption to their auto-pilot allows them to quickly assess their own action before they can engage with a phishing attack.