Phishing: 6 reasons why employees keep falling for phishing scams

Because cybersecurity inherently refers to the protection placed on one’s digital data, you can be forgiven for not realising the importance of human psychology in cybersecurity. In fact, human psychology is the very reason that employees keep falling for phishing scams, with fraudsters preying on vulnerable personalities for nefarious reasons.  

For a long time, when discussions on cybersecurity happened, the talk was always about hackers and how to prevent them using technical expertise and new hardware/software solutions. The human element of cybersecurity was forgotten about. Now, as we understand the human element in cybersecurity incidents, we can analyse why employees keep falling for phishing scams and some solutions that can help rectify your security culture.  

And phishing remains a massive issue in cybersecurity with 22% of employees likely to expose their organisation to a cyber attack via a successful phishing attempt! 

The reasons employees fall for phishing scams 

1. Human Computer Interface (HCI) now closer than ever 

• Human Computer Interface (HCI) refers to the interaction between a human and a computer and how seamlessly the two interact. When computing first entered the public space, computing companies began to build accessories and digital protocols that tied human behaviour closely to computer operations.

HCI merged human and cognitive science with computer science so the digital space and human space could work in tandem with each other. In the modern day, we would refer to this as the user experience and laud companies that make software easier and more intuitive. 

However, whilst it became more natural for humans to use computers, the now close connection between computer and human has opened the door for more cybercrime. As HCI improves, cybercriminals are taking advantage of the close knit connection between user and computer. In some cases, interactions are automatic or programmed in to avoid the human element by the user themselves, for ease purposes. A cunning third-party can then manipulate this improved HCI to phish for information and crack accounts.  

2. Pavlovian response to improved UI/UX 

• At TSC, we understand that human beings can learn behaviours and replace old ones with new improved ones through learning and practice. This process is also present in computer use with learned computer behaviours the main target of phishing fraudsters for exploitation. For instance, clicking on a link in an email when directed to or downloading an attachment when prompted are learned behaviours because of operating a browser or email client. If a cybercriminal inserts themselves as a middleman in these behaviour moments, they can find a backdoor to your data/accounts.

As user experience (UX) and user interfaces (UI) become more intuitive and our behaviours are conditioned to act a certain way online, an almost Pavlovian conditioning occurs that establishes behaviours in a predictable pattern. More than 333 billion emails are sent or received daily with automated clicking behaviour now common for most users. And with many working or operating under time constraints, automatic established behaviours because of intuitive UI/UX can open cyberattack surfaces for cybercriminals.  

By understanding human behaviour and what makes us click quickly, cyberattacks have risen to new levels of success. However, just as less than safe behaviours are learned, they can also be unlearned! 

3. Cyber Fatigue 

• In the paper “Encouraging Employee Engagement With Cybersecurity: How to Tackle Cyber Fatigue,” cyber fatigue is positioned as a key reason for human errors leading to cyberbreaches. As more businesses go all-digital and all-remote, some workers are experiencing cognitive overload, which will lead to cyber fatigue. 

We lose focus and impetus completing laborious manual tasks repeatedly … the same happens with digital tasks. If employees are not taking regular breaks to dissipate brain fog and get some mind rest, they will be making important security behaviours with a lower cognitive capacity than required, which will lead to an increased chance of cyber issues occurring.  

In fact, data shows that of the employees that open a phishing email, 53% are likely to click a link found in the copy, with 23% likely to follow through to a spoofed login page and a further 7% downloading email attachments. Many of these actions occur because of built-in digital behaviours but also because cyber fatigue leads to employees not double-checking sources and attachments, opting for the quicker solution of just clicking through.  

4. Preying on the fear of a pandemic and Covid-19 

• Phishing scams and social engineering go hand in hand during most cyberattacks. We saw an increase of 200% in the number of phishing emails at the start of the Covid-19 pandemic in 2020!  Many of these scams played on concerns over Covid-19 and used trusted government/charity domains to manipulate the behaviour of users by building trust and using fear as a trigger for unsafe behaviours.  

Phishers using social engineering tactics during a crisis is nothing new and this will not be the last case of opportunistic cyberattacks. Every time we see a crisis, we see cybercriminals blast out phishing emails, hoping to catch out employees who are not aware of how to deal with social engineering phishing attacks.  

5. Ineffective or unengaging cybersecurity training and development 

• If employees are fatigued or disinterested with their cybersecurity training and awareness campaigns, the human checkpoint in your cybersecurity armour will fail. Understanding how different people and different generations ingest and retain information is key to the effectiveness of your security awareness training.

TSC has previously written about how different generations such as digital natives and non-business-language speakers can be effectively taught.  

This cybersecurity awareness training and learning needs to be consistent. Dr Mona Rashirad, Lecturer in Strategy at the University of Sussex Business School, says: “To prevent phishing attacks, a well-designed continuous security training and educational programme, incorporating phishing simulation exercises and embedded training for vulnerable employees, needs to be established and enforced in organisations.” 

6. Professional smartphone use 

• The shift to home working has also created greater risk in the sense that many employees now use their smartphones to open emails. Smartphones make it more difficult to recognise the origin of a potential email and mean employees are significantly more susceptible to phishing. 

Opening malicious phishing emails on your phone can also compromise your home network and any devices connected to that central network. This is a quite common way for cybercriminals and phishers to enter an organisation and a method that is increasing in occurrence post-pandemic. 

Important email and phishing stats 2022 

• 1 in 3 employees are likely to click links in phishing emails (CyberNews) 
• 60% of employees open emails that were not fully confident was safe (Dark Reading) 
• 45% of employees click emails they consider to be suspicious just in case it is important (Dark Reading) 
• 41% of employees do not notice a phishing email because they are tired (ID Agent) 

• 1 in 4 employees admit to clicking on a phishing email at work (Stanford University) 

How TSC can help your employees push back against phishing and fraudsters 

In 2022, you simply cannot afford to have gaps in your cyber security strategy. There are numerous pillars to cybersecurity, but phishing security is one of the most important. Firewalls and other technological solutions are important, but if you do not apply the same focus to your employees, you will find many vulnerabilities in your cybersecurity.  

A cybersecurity strategy that includes technical safeguards and employee security awareness and training will provide the best opportunity to lower attack success rates and minimise the impact that cybercrime can have on your organisation. 

TSC has been aiding organisations across a variety of sectors for over 20 years on phishing schemes. We can provide engaging and gamified eLearning courses that will teach secure behaviours to your employees in a manner that maximises retention. We can also keep this messaging consistent within your organisation with a library of free and bespoke resources available to show how to spot phishing attempts and how best to report such cyberattacks.  

If you would like more information about how The Security Company can help deliver security awareness training for remote workers or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact Jenny Mandley.