Phishing psychology: The prevalence effect

Cybercriminals have long used psychology as a tool of deception. But we can also use psychological phenomena to explain why certain criminal methods work — and to help frame the right protection strategy. Many psychologists analyze attack schemes and the reasons they are effective. Today we examine a hypothesis that attempts to explain why, despite the potency of antiphishing technologies, e-mail traps still claim victims and can cause significant damage. And, most important, we discuss what to do about it.

Antispam and antiphishing measures are key components of any company’s online security. When investigating cyberincidents, our experts typically find that the problem began with an e-mail, regardless of whether it’s a mass mailing or a targeted attack. These days, mail filters can identify typical phishing e-mails with a high degree of certainty, yet attackers still sometimes manage to break through (for example, by hijacking a partner’s mailbox) and deliver the message to a human victim, always the weakest link. And the more effective the filters are, the greater the chances that the breakthrough message will also fool the user.

The experiment

The existence of a direct correlation between the frequency of malicious e-mails and their successful identification by users was hypothesized by two U.S. researchers — Ben D. Sawyer of the Massachusetts Institute of Technology and Peter A. Hancock of the University of Central Florida. They based their theory on the “prevalence effect,” long known in psychology, which essentially states that a person is more likely to miss (or not detect) a signal that is less common than a signal that occurs frequently.

The researchers decided to test it in practice by conducting an experiment in which participants were sent e-mails, some of which contained malicious attachments. The percentage of malicious e-mails varied for each participant — for some, only 1% had malware in the attachment, for others 5% or 20%. The result confirmed their hypothesis that the less often a threat occurs, the more difficult it is for people to spot it. Moreover, the dependence is not even linear, but closer to logarithmic.

We should note that the experiment used a fairly small sample (33 subjects), and all participants were students, so it would be premature to blindly accept the conclusion. But in psychology, the prevalence effect is generally considered proven, so why shouldn’t it apply to phishing e-mails? In any event, Sawyer and Hancock promise to refine their hypothesis by subjecting it to more enhanced tests.

The researchers have suggested a possible explanation of the phenomenon involving increased trust in the safety of the system. Essentially, they suggest antiphishing technologies simultaneously protect users from threats and lull their vigilance. Incidentally, the researchers also postulate that cybercriminals may know about the effect and thus deliberately send malware less frequently.

Practical conclusions

As you might guess, we do not advocate abandoning automated security systems. However, if Sawyer and Hancock’s hypothesis is correct, then it is possible that users could benefit from the occasional encounter with a phishing e-mail. Not a real one, of course.

Kaspersky Automated Security Awareness Platform, our solution for training employees of companies of all sizes in cybersecurity, lets you periodically check how well trainees are picking up the skills. As part of the checks, they receive simulated phishing e-mails and must respond correctly. This will help keep employees on their toes, so they don’t forget what phishing looks like.

Even if the theory is ultimately discredited, such e-mails will do no harm. At the very least, the training manager will know who the weakest links are.