Scarcity or Authority or Both? #university #students #research
When John received an email inviting him to sign an online petition for strong environment standard on fossil fuel projects in Indian ocean, he clicked within seconds. John was studying envornmental protecton course at University of Leicester and just watched a video about ocean pollution before lunch!
His clicked brought him to an unfamiliar website but he proceeded as instructed and filled in a few details. Unknown to him, the information he shared was sufficient to identify him on Facebook and LinkedIn. How the story might have developed, depends on John’s computer security, how he stored his contact list and how the attacker think is the best way to monetise John’s information and computing resources. This type of phishing or social engineerning technique is called "Commitment".
Spear Phishing Email
John was a victim of spear phishing email which is specific scam towards a particular individual to steal personal data for vicious purposes. A successful spear phishing email campaign is well orchestrated and difficult to detect. Because the attacker focuses on a smaller group of victims, and apply different tactics according to the age group.
Researchers from University of Florida and New York University examined the online behaviour of the users from different age groups and published a research paper. “Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing “
The study comprised of 158 Internet users aged from 18 to 89 from the North Central Florida for investigation of daily internet use. Older participants were recruited through fliers and handouts posted in the town. Younger participants were recruited through the University Subject Pool. The study took place in the participants’ home. After informed consent, the web browser extension was installed with the aid of phone calls or video tutorials for this study.
According to the 21-day intervention phase, younger users aged between 18 and 37 were most susceptible to scarcity and authority. When presenting young people with emails related to bills, discounts or violation from law, they tended to click on links when compare with other test subject age over 40. Two examples are listed below.
Scarcity: “You can save 25 percent on your next bill by completing our online survey within this week. Take advantage of this limited opportunity by clicking the link below < fake website link>” When youngsters read those texts, opportunities seem more valuable and their possibilities are limited. Hence they are more likely clicking the link.
Authority: “Our system indicated that you have a parking violation from 2 January 2021 at 12:13 pm at 5th Avenue New York. Please visit our website to pay your fine <link>” Scammers is combining urgency and authority in this message.
Read more: Phishing Scam: To-Do List for Victims
More Examples of Phishing Emails
A Psychology professor Dr Cialdini suggested that there are six basic principles of persuasion, that is, the technique of making people grant to one’s request. These principles are: reciprocation, consistency, social proof, likeability, authority and scarcity. The researchers added "Committment" in their paper. No idea what they are? No problem! An example with explanation for every genre is mentioned as below:
Reciprocation: “Congratulations! Get your $20 voucher towards your next purchase. This money has been donated by a non-profit organization that promotes fair trade products. This voucher will be applicable in any supermarket. In the meanwhile, please click the link below to vote for this organization in this campaign! <link>” Users click emails that were relatable to charity or social needs.
Likeability: “My name is Ben. It’s great connecting with you. I notice that you love traveling to different countries. Don’t you? I made a blog with tips on how to travel alone. Please click at <link>” If the email content is relevant to users, they might click the link carelessly.
Commitment: “Would you like to make effort to environmental protection? It is important to protect the environment so as to reduce the destruction of eco-systems. That’s why we launched this program to increase awareness. Please click the link below to support the program! <link>” When people commit to certain topics, they readily click the links that are interesting for them.
Social Proof: “I would like to invite you to upcoming networking event. More than 50 classmates confirmed to join this event. To explore more about the event, visit our website at <link>” A sense of belonging is a human need, hence people might click the links that they belong to.
Read more: Cybersecurity Education from Within
Youngers are digital native but they have less experiences with online scams and social engineering. This combination can made them an easy target for phishing attacks. University staff and IT security personnels should prepare their students.