What persuasion techniques are generally employed in phishing e-mails?

Written by Davide Andreoletti, SUPSI

In this post we discuss what are the most influential persuasion techniques in phishing e-mails.

Social Engineering aims at manipulating users into performing undesirable actions, which likely lead to a data breach. Therefore, social engineering techniques are deeply rooted in psychology and, in particular, in persuasion techniques. Persuasion techniques have been widely studied in the literature, e.g., concerning marketing[1] and politics[2].

A reference taxonomy of the main persuasion techniques has been proposed by the famous psychologist Robert Cialdini, who attempted to categorize them in 6 principles[3], namely reciprocation, consistency, liking, social proof, scarcity and authority.

We briefly describe each of them here:

  • Reciprocation: people tend to return a favour
  • Consistency: people tend to act according to their ideas and goals
  • Liking: people tend to be persuaded by people who show to love them
  • Social proof: people tend to conform to what most of the other people are doing
  • Scarcity: people tend to desire what is perceived as scarce
  • Authority: people tend to obey authoritative figures

Phishing E-mails are a widely-used social engineering attack vector, which consists in crafting malicious e-mails that are aimed at appearing genuine and legitimate. It is an effective and easy-to-implement attack. Clicking on a malicious link, or opening a dangerous attachment are among the typical goals pursued by means of phishing e-mails. A particularly insidious subcategory of phishing is that of spear phishing, where the content of the e-mails is tailored to a specific victim.

From the analysed literature, it emerges that there is not a general consensus on the use of persuasion principles in phishing. For example, the authors of the work[4] say that reciprocation, consistency and liking are not well-suited for such attack, since they require a mutual interaction between attacker and victim, which is absent in phishing. On the other hand, the authors of[5] state that all the principles have a significant impact on the success of the attack.  

In spite of this disagreement, some trends clearly emerge: for instance, authority is the most common and the most effective persuasion technique5. In particular, it has been shown that the efficacy of the message is significantly improved when the e-mail seems to be sent from an authoritative member of the organization to which the victim belongs (e.g. CEO of a company). This result is consistent with other papers[6] which do not focus on Social Engineering.  Moreover, in[7] it has been shown that authority is the strategy that influences the most the ability to judge a link as safe or not. On the opposite, the social proof is the least effective7.


[1] Kirmani, Amna, and Margaret C. Campbell. "Goal seeker and persuasion sentry: How consumer targets respond to interpersonal marketing persuasion." Journal of Consumer Research 31.3 (2004): 573-582.

[2] Sanders, Karen. Communicating politics in the twenty-first century. Palgrave Macmillan, 2008.

[3] Cialdini, Robert B. Influence. Vol. 3. A. Michel, 1987.

[4] Butavicius, Marcus, et al. "Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails." arXiv preprint arXiv:1606.00887 (2016).

[5] Akbar, Nurul. "Analysing persuasion principles in phishing emails." (2014).

[6] Milgram, Stanley, and Christian Gudehus. "Obedience to authority." (1978).

[7] Butavicius, Marcus, et al. "Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails." arXiv preprint arXiv:1606.00887 (2016).


by Davide Andreoletti (SUPSI)


This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618




The DOGANA phishing videogame

Want to try it?
Read more here and contact us


Phishing: awareness through play

Want to try it?
Read more here and contact us


Contraband pixels and texts
Read all about our liteary-graphic competition on phishing and social engineering

All the pictures and novels