What persuasion techniques are generally employed in phishing e-mails?

Details

Category: Social Engineering

Published: Monday, 08 May 2017 11:19

Written by Davide Andreoletti, SUPSI

In this post we discuss what are the most influential persuasion techniques in phishing e-mails.

Social Engineering aims at manipulating users into performing undesirable actions, which likely lead to a data breach. Therefore, social engineering techniques are deeply rooted in psychology and, in particular, in persuasion techniques. Persuasion techniques have been widely studied in the literature, e.g., concerning marketing[1] and politics[2].

A reference taxonomy of the main persuasion techniques has been proposed by the famous psychologist Robert Cialdini, who attempted to categorize them in 6 principles[3], namely reciprocation, consistency, liking, social proof, scarcity and authority.

We briefly describe each of them here:

• Reciprocation: people tend to return a favour
• Consistency: people tend to act according to their ideas and goals
• Liking: people tend to be persuaded by people who show to love them
• Social proof: people tend to conform to what most of the other people are doing
• Scarcity: people tend to desire what is perceived as scarce
• Authority: people tend to obey authoritative figures

Phishing E-mails are a widely-used social engineering attack vector, which consists in crafting malicious e-mails that are aimed at appearing genuine and legitimate. It is an effective and easy-to-implement attack. Clicking on a malicious link, or opening a dangerous attachment are among the typical goals pursued by means of phishing e-mails. A particularly insidious subcategory of phishing is that of spear phishing, where the content of the e-mails is tailored to a specific victim.

From the analysed literature, it emerges that there is not a general consensus on the use of persuasion principles in phishing. For example, the authors of the work[4] say that reciprocation, consistency and liking are not well-suited for such attack, since they require a mutual interaction between attacker and victim, which is absent in phishing. On the other hand, the authors of[5] state that all the principles have a significant impact on the success of the attack.  

In spite of this disagreement, some trends clearly emerge: for instance, authority is the most common and the most effective persuasion technique5. In particular, it has been shown that the efficacy of the message is significantly improved when the e-mail seems to be sent from an authoritative member of the organization to which the victim belongs (e.g. CEO of a company). This result is consistent with other papers[6] which do not focus on Social Engineering.  Moreover, in[7] it has been shown that authority is the strategy that influences the most the ability to judge a link as safe or not. On the opposite, the social proof is the least effective7.

[1] Kirmani, Amna, and Margaret C. Campbell. "Goal seeker and persuasion sentry: How consumer targets respond to interpersonal marketing persuasion." Journal of Consumer Research 31.3 (2004): 573-582.

[2] Sanders, Karen. Communicating politics in the twenty-first century. Palgrave Macmillan, 2008.

[3] Cialdini, Robert B. Influence. Vol. 3. A. Michel, 1987.

[4] Butavicius, Marcus, et al. "Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails." arXiv preprint arXiv:1606.00887 (2016).

[5] Akbar, Nurul. "Analysing persuasion principles in phishing emails." (2014).

[6] Milgram, Stanley, and Christian Gudehus. "Obedience to authority." (1978).

[7] Butavicius, Marcus, et al. "Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails." arXiv preprint arXiv:1606.00887 (2016).

by Davide Andreoletti (SUPSI)