What persuasion techniques are generally employed in phishing e-mails?
- Details
- Category: Social Engineering
- Published: Monday, 08 May 2017 11:19
Written by Davide Andreoletti, SUPSI
In this post we discuss what are the most influential persuasion techniques in phishing e-mails.
Social Engineering aims at manipulating users into performing undesirable actions, which likely lead to a data breach. Therefore, social engineering techniques are deeply rooted in psychology and, in particular, in persuasion techniques. Persuasion techniques have been widely studied in the literature, e.g., concerning marketing[1] and politics[2].
A reference taxonomy of the main persuasion techniques has been proposed by the famous psychologist Robert Cialdini, who attempted to categorize them in 6 principles[3], namely reciprocation, consistency, liking, social proof, scarcity and authority.
We briefly describe each of them here:
- Reciprocation: people tend to return a favour
- Consistency: people tend to act according to their ideas and goals
- Liking: people tend to be persuaded by people who show to love them
- Social proof: people tend to conform to what most of the other people are doing
- Scarcity: people tend to desire what is perceived as scarce
- Authority: people tend to obey authoritative figures
Phishing E-mails are a widely-used social engineering attack vector, which consists in crafting malicious e-mails that are aimed at appearing genuine and legitimate. It is an effective and easy-to-implement attack. Clicking on a malicious link, or opening a dangerous attachment are among the typical goals pursued by means of phishing e-mails. A particularly insidious subcategory of phishing is that of spear phishing, where the content of the e-mails is tailored to a specific victim.
From the analysed literature, it emerges that there is not a general consensus on the use of persuasion principles in phishing. For example, the authors of the work[4] say that reciprocation, consistency and liking are not well-suited for such attack, since they require a mutual interaction between attacker and victim, which is absent in phishing. On the other hand, the authors of[5] state that all the principles have a significant impact on the success of the attack.
In spite of this disagreement, some trends clearly emerge: for instance, authority is the most common and the most effective persuasion technique5. In particular, it has been shown that the efficacy of the message is significantly improved when the e-mail seems to be sent from an authoritative member of the organization to which the victim belongs (e.g. CEO of a company). This result is consistent with other papers[6] which do not focus on Social Engineering. Moreover, in[7] it has been shown that authority is the strategy that influences the most the ability to judge a link as safe or not. On the opposite, the social proof is the least effective7.
[1] Kirmani, Amna, and Margaret C. Campbell. "Goal seeker and persuasion sentry: How consumer targets respond to interpersonal marketing persuasion." Journal of Consumer Research 31.3 (2004): 573-582.
[2] Sanders, Karen. Communicating politics in the twenty-first century. Palgrave Macmillan, 2008.
[3] Cialdini, Robert B. Influence. Vol. 3. A. Michel, 1987.
[4] Butavicius, Marcus, et al. "Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails." arXiv preprint arXiv:1606.00887 (2016).
[5] Akbar, Nurul. "Analysing persuasion principles in phishing emails." (2014).
[6] Milgram, Stanley, and Christian Gudehus. "Obedience to authority." (1978).
[7] Butavicius, Marcus, et al. "Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails." arXiv preprint arXiv:1606.00887 (2016).
by Davide Andreoletti (SUPSI)