Falling for phishes

  • Article

Last weekend, myself and numerous other sources reported on the “Here you have” email worm.  As you recall, this was a spam campaign with a link to malware hosted on a free web hosting service.  This spam campaign was brief but sent a huge flurry of spam in a short period of time before being shut down.  One the anti-spam blogs that commented on it is All Spammed Up, which is available on my blog roll to the right (well, it was before the software changed and the formatting of this blog morphed without my consent and no way to change it back).  In a brief post, they chat a bit about the impact and then get into one of my favorite topics – the psychological aspect of why someone might fall for such a spam campaign:

It’s not clear why the emails duped so many into clicking on the attachment they contained. The fact that the worm invaded the address book of anyone infected and sent itself out to everyone on it may have been a factor. People, even those who know better than to click on links or open attachments from strangers, are much more likely to drop their guard and open attachments that come from friends, no matter how odd or suspicious they may look.

I will talk to the bolded part above (emphasis mine).  This sentence makes intuitive sense; when we see people such as family or friends, that is, those with whom we have a pre-existing relationship, we are more likely to trust them.  Then, if one of those people has malicious intent, it is easier for them to fool us.  In the case of spam, since we see them in our inbox we are more likely to fall for the spam.

But is this an accurate assessment?

As it turns out, it isn’t.  This was actually my hypothesis many months ago when I started writing a paper entitled “The Psychology of Spamming” which I will be presenting at the Virus Bulletin conference this month in Vancouver.  I did a lot of research into cognitive psychology and what I found didn’t support my hypothesis.

When we make decisions, such as to buy something, or click on a link in a suspicious message, there is a concept known as “affect”. This is the quality and quantity of goodness or badness that we feel in response to a stimulus, whether it is conscious or not. For example, if we are in a dark alley and we see a stranger approaching, we would feel negative affect. If we were in a well-lit hall and an attractive member of the opposite sex was walking towards us, we would feel positive affect.  In real life, if people can be made to feel negative affect (such as anger or fear), their impressions of situations can be influenced in a negative way. For example, a group of test subjects were told all about the negative downside risks of nuclear power – it was expensive to build, could contaminate water supplies, and so forth. When asked to give their impressions about it, people judged nuclear power negatively. Yet when people were made to experience positive affect and then judge nuclear power, and they all judged it positively.

The research that I discovered when it came to positive affect did not show that people made worse decisions when positive affect is introduced.  Consider the following excerpt from a research article published by Alice Isen and Aparna Labroo entitled “Some Ways in Which Positive Affect Facilitates Decision Making and Judgment”, from page 7 :

People in whom positive affect has been induced tend more than controls to take a problem-solving approach to these situations and come up with the kind of solution that involves thinking creatively about how to obtain the most for both sides… Work in the coping literature indicates that under positive affect people also appear less “defensive” in stressful situations and tend to engage in less “defensive” interpersonal processes, such as downward comparison, competitive comparisons, making one-self feel better by focusing on relatively worse outcomes or the flip side of that – feeling threatened by another person’s success (eg, Aspinwall, 1998; Aspinwall & Brunhart, 1996; Trope & Neter, 1994; Trope & Pomerantz, 1998).

It should be noted that these findings are in contrast with an earlier, widely held view that positive affect, by its nature, impairs systematic cognitive processing and leads to poor judgment and superficial thinking, either because it takes up cognitive capacity (eg, Mackie & Worth, 1989) or because it signals that the environment is benign and does not require careful attention (eg, Bless, Bohner, Schwartz & Strack, 1990).  (The latter view also assumes that if careful processing is not required in order for a person to protect himself or herself, it will not occur).

So you see, earlier my theory was that people trust phishing messages because they see a brand they recognize and they trust the message; they lower their guard and make poor judgments.  To them, the environment (reading the email or clicking the link) is benign.  But from the study above we see that this is not the case.  When people see people/things/brands they recognize and trust, positive affect should be induced and therefore they ought to make better decisions – in the case of phishing and malware it is to not click on the link.  As an additional mental resource, people ought to be more likely to recognize that the message possesses malintent.  It is the opposite of the theory I originally had (and probably a lot of us in the security industry have). As if to underscore this statement, the authors continue:

Thus, the view that positive affect leads to superficial, impaired processing has become untenable.  In face, recent work suggests that positive affect may actually free up capacity and in this way act as an additional resource or source of strength (eg, Aspinwall 1998, Aspinwall & Brunhart, 1996; Isen 1993; Isen, 2002a).

If phishing and spoofing messages work so well, and brand trust/recognition does not explain why people fall for these scams, what does explain it?  Ah, that’s the subject of my paper that I will present at the Virus Bulletin conference.