Skip to Content
Computing

How phishing attacks trick our brains

Why you’re more of a sucker than you think.
google security Titan key
google security Titan key
google security Titan keyPhoto: Google

It’s simple and effective: getting someone to click a malicious link in an email and enter private information such as a password is the most important skill in many hackers’ toolkits. Phishing is the most common form of cyberattack and still growing.

And the reason it’s so effective, according to research being done at Google and the University of Florida, is that it takes advantage of how the human brain works—and, crucially, how people fail to detect deception, depending on factors like emotional intelligence, cognitive motivation, mood, hormones, and even the victim’s personality.

“We are all susceptible to phishing because phishing tricks the way our brain makes decisions,” Daniela Oliveira, an associate professor at the University of Florida, said on August 7 at the Black Hat cybersecurity conference in Las Vegas.

The problems begin with awareness: 45% of internet users don’t even know what phishing is, according to Oliveira and Google researcher Elie Bursztein.

Mood plays a role: people who are feeling happy and not stressed are less likely to detect deception in front of them. Cortisol, a stress hormone, increases vigilance and makes detecting a deception more likely. Serotonin and dopamine, hormones associated with positive feelings, can lead to risky and unpredictable behavior that make people more vulnerable.

Phishers can also be exceptionally good at crafting messages meant to persuade a person to click. Authority is among the most common and effective weapons—for instance, an email that claims to be from the company CEO, asking an employee to provide some information by clicking a link. Other tools include a gain/loss framing—for instance, a refund opportunity from Amazon.

Some of the most pointed phishing emails play on emotion. After the devastating and record-breaking California wildfires in 2018, Google saw an instant wave of emails asking for money to help victims. Emotional cues—for instance, promises to match donations for people left homeless—impaired the recipients’ ability to focus on the content and the clues that the email was a deception. By triggering this emotional response, the hackers got people to suspend their skepticism.

That doesn’t mean the only defense against phishing is to be a permanently stressed-out and cynical ball of anger. Healthier and more effective is to enable two-factor authentication for each of your important logins (email, online banking, social media, shopping sites, etc.). Here's a list of all the sites that support two-factor authentication.

When it’s enabled, the system asks you for something in addition to a password when you log in, such as a code sent to your phone via text message, a code from an authenticator app, or a physical security key on a USB stick (the most secure method of all, according to recent research). That way, if you’ve inadvertently given your password to a hacker in a phishing scam, they still won’t be able to log in to your account. Last year, Google said that fewer than 10% of its users had two-factor authentication enabled on their accounts.

Deep Dive

Computing

afghanistan coding program
afghanistan coding program

The code must go on: An Afghan coding bootcamp becomes a lifeline under Taliban rule

In Afghanistan, tech entrepreneurship was once promoted as an element of peace-building. Now, young coders wonder whether to stay or go.

broken pieces of log4j
broken pieces of log4j

The internet runs on free open-source software. Who pays to fix it?

Volunteer-run projects like Log4J keep the internet running. The result is unsustainable burnout, and a national security risk when they go wrong.

This new startup has built a record-breaking 256-qubit quantum computer

QuEra Computing, launched by physicists at Harvard and MIT, is trying a different quantum approach to tackle impossibly hard computational tasks.

ASML machine
ASML machine

Inside the machine that saved Moore’s Law

The Dutch firm ASML spent $9 billion and 17 years developing a way to keep making denser computer chips.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.