“It can happen to anyone”, Pavlo Burda says to put our minds at ease. And he should know, because over the past years, he conducted in-depth research into the how and why of phishing attacks. On Wednesday, January 24 he will defend his dissertation at the Department of Mathematics and Computer Science. Even though in recent times awareness of the criminal ‘angling’ for confidential information has grown, it can be quite tricky to recognize a phishing email. “You receive an email from a source appearing to be trustworthy at first glance, containing your name and some personal details. It often includes an urgent request to click a certain link, which leads to a fake website. And the details you enter there fall directly into the hands of cybercriminals. The personalized emails and websites often look exactly like the real deal, from a bank, internet provider or parcel shipper, for instance. And what are links for if not to click them?”

Hacking people

But what are the exact elements in a phishing email that get people to click through and leave their details? In his research, Burda decided to study phishing attacks from a psychosocial perspective. “For a long time we’ve thought that we could only combat phishing using a technological solution. Of course it’s good to invest in the development of detection filters and the improvement of machine learning. But everyday email traffic is so large-scale that 99% effectiveness doesn’t cut it. That’s why it’s necessary to look at phishing from multiple angles.”

Burda explains that phishing is a type of social engineering, the manipulation of people to find out confidential information. Cybercriminals tap into various human characteristics, such as fear, curiosity, trust, greed and ignorance. “In the end it’s about hacking people. How can you manipulate someone to do what you want? We’ve honed in on the seven principles of influence conceived by American psychologist Robert Cialdini: persuasion isn’t luck or magic, it’s pure psychology.”

Fraudulent email

And so, Burda took on the guise of a cybercriminal and sent – following a strict and pre-approved protocol of course – a phishing email to around 300 TU/e employees, as well as to an equal number of employees at an international consultancy company. The email was sent out in different versions, each focusing on a different principle of influence. “We specifically investigated tailored phishing, where messages are personalized for large groups of people, often made possible by automized collection of online personal details. In our case, employees received a personalized email from HR asking them for their personal details. Which was more successful than we thought, shockingly so.”

People who had entered employment relatively recently were more likely to disclose their details both in the TU/e and the consultancy group, especially if the email had a lot of authority. For TU/e employees, the combination of authority and strong personalization in particular led to a higher response rate, Burda tells us. “For the consultancy employees, we observed that about thirty percent submitted their details, across all subgroups. For the PhD/postdoc group at TU/e, about twenty percent responded to the fake email, while senior staff members were a bit more careful with ten percent. But these percentages are still way too high. It only takes a dozen responses to infiltrate a network and leave ransomware.”

Burda does see a silver lining. Among the recipients of the fake email, there were also quite some employees who were extremely fast in figuring out the message was fraudulent. “They immediately took action and notified TU/e’s Computer Emergency Response Team. These ‘anti-phishers’ can be very valuable to an organization. We have to look into smart ways of using their notifications to reduce the number of people that fall victim to a cyberattack.”

Safe clicking

What you can do to better protect yourself against phishing? Burda’s recommendations: “It’s a bit obvious, but always be alert. It’s a good idea to raise awareness of phishing among people who are new at TU/e, for instance through an alertness course; this group is extra vulnerable because they’re not yet completely familiar with the organization. Over the past years, many aspects of IT security at TU/e have improved considerably, for example owing to Multi-Factor Authentication. Of course, there also are a number of simple things you can do yourself to be less appealing to cybercriminals. For one thing, you can use the private setting to protect your personal details as much as possible. When it comes to platforms like LinkedIn, think about which information you want to display publicly and which information should only be accessible to your connections. And even though it’s convenient to quickly browse your mailbox on your phone, because of the small screen you don’t always see data that’s required to determine authenticity. Are you in doubt about a message requesting you to click a certain link? Then it’s better to do so from your laptop than your smartphone. Clicking’s allowed, but be safe about it.”