Canadian Cyber Security Journal
SOCIAL:
Filed under: TechTalk

You’re just as good as a cybersecurity expert at spotting a phishing email

An employee at MacEwan University got an email in 2017 from someone claiming to be a construction contractor asking to change the account number where almost $12 million in payments were sent. A week later the actual contractor called asking when the payment would arrive. The email about the account number change was fake. Instead of going to the contractor, the payments were sent to accounts controlled by criminals.

Fake emails that try to get people to do things they wouldn’t normally do, such as send money, run dangerous programs or give out passwords, are known as phishing emails. Cybersecurity experts often blame the people who receive such messages for not noticing that the emails are fake.

An employee at MacEwan University got an email in 2017 from someone claiming to be a construction contractor asking to change the account number where almost $12 million in payments were sent. A week later the actual contractor called asking when the payment would arrive. The email about the account number change was fake. Instead of going to the contractor, the payments were sent to accounts controlled by criminals.

Fake emails that try to get people to do things they wouldn’t normally do, such as send money, run dangerous programs or give out passwords, are known as phishing emails. Cybersecurity experts often blame the people who receive such messages for not noticing that the emails are fake.

How the pros do it

In earlier research, I found that when cybersecurity experts received a phishing email message, they, like most people, assumed the email was real. They initially took everything in the email at face value. They tried to figure out what the email was asking them to do, and how it related to things in their life.

As they read, they noticed small things that seemed off, or different from what would typically be in similar email messages. They noticed things like typos in a professional email, or the lack of typos from a busy executive. They noticed things like a bank providing account information in an email message instead of the standard notification that the recipient had a message waiting for them in the bank’s secure messaging system. They also noticed things like someone uncharacteristically emailing them without mentioning it in person first.

But noticing these signs isn’t enough to figure out the email is a fraud. Instead, the experts just became uncomfortable with the email message. It wasn’t until they saw something in the message that reminded them of phishing that they became suspicious. They would see an anomaly like a link that the email was trying to get them to click. In their minds, these are commonly associated with phishing emails.

Combined with the uncomfortable feeling about the email message, this reminder prompted the experts to recognize that phishing might explain the weird things they noticed. They became suspicious of the message and investigated to figure out if it was a fraud.

Good instincts

If that’s how experts do it, then what do regular people do? When I interviewed people without computer security experience, I found a similar process. Most people noticed things that seemed off, became uncomfortable with the email, remembered about phishing and investigated.

My research found that people are good at the first two steps: noticing things in the email that seem weird, and becoming uncomfortable. Almost everyone I talked to noticed multiple problems when they saw a fake email, and told me about feeling uncomfortable with the message.You’re just as good as a cybersecurity expert at spotting a phishing email

And if people thought about phishing, they were also good at investigating. Instead of looking at technical details, though, most people either contacted the sender or asked others for help. But they were still able to correctly figure out whether an email message was a phishing attack.

How the pros do it

Most people I interviewed know about phishing in general. But the people who were good at noticing phishing messages reported stories about specific phishing incidents they had heard about. They told me about a time when someone at their organization fell for a phishing email, or about a news story of an incident like the one at MacEwan University.

Familiarity with specific phishing incidents helps people remember phishing generally and recognize that it might explain the weird things they notice in an email. These stories are key to people going from “something’s fishy” to “is this phishing?”

Enjoy this article? Don’t forget to share.