Exploiting trust – why do users fall for phishing?

Back in October at the Virus Bulletin conference, I presented on the topic entitled “The Psychology of Spamming.”  Specifically, it was a research project designed to look at our cognitive processes.

I won’t go into the full details here (I will point a link to my paper and/or slide deck), but basically, humans can be influenced in their decision making by invoking emotion.  It is not enough to invoke any emotion, you must invoke high levels of arousal.  Not only that, you need to touch upon certain emotions that are linked to our limbic brains – money, sex, food and even revenge.  I then proceeded to do a demonstration.

I pulled out four blocks of wood and covered them with paper cups.  In the bottom of each block of wood there were four nails perfectly positioned such that the cups nestled into them and if you turned them upside down, the cups would not fall to the ground due to gravity.  However, in the middle of one block of wood was a large nail sticking out of it.  Obviously, if someone were to take their hand and push it onto the nail, they would be severely injured.

That was the point of my demonstration.  I then had a volunteer from the audience mix up all of the cups, but not before I mixed them all up while the audience could not see.  In the end, the situation was that there were four blocks of wood each covered by a styrofoam cup, and underneath one of the cup was a nail sticking out.  Neither myself nor the audience knew which block of wood contained the cup because each of us had our backs turned when the other mixed them up.

I then proceeded to get the audience member to call out a position – 1, 2, 3 or 4.  Whichever one he called out, I held my hand over top of the cup.  I then raised it in the air and smashed it down onto the cup, crushing it.  Obviously, if there was a nail beneath it, I would be severely injured and require medical attention.  That was a bona fide, legitimate danger.  I put the address of the hotel on the projected slide and instructed an audience member to take out his cell phone and call 911 if I did get hurt.  I then told him instructions that someone suffered a puncture wound to his hand because of a nail and would need to stop the bleeding.  I also had bandages in my bag, just in case.

And so we continued.  This is how it played out: the volunteer called out a number.  I raised my hand above it and smashed it down.  Nothing beneath the cup.  I then asked him to call out another number, and once again I brought my hand up and smashed it down onto the cup, crushing it.  I then did it a third time and nothing happened.  By a stroke of luck, he did not call out the one that could have caused me severe injury and I luckily got away without needing to go to the hospital.  Whew!

The whole point of this demonstration is to demonstrate the emotional response that everyone in the audience was feeling at the moment (and perhaps some of you in the readership at that above description).  When we invoke a certain response – in this case fear – we do not think rationally.  At low levels of this response, it acts in more of an advisory role.  At more intense levels, these emotions can cause us to act against our own best interests.  Everyone in the room was either worried about my health in that I might get injured, or afraid to watch (yet at the same time being unable to turn away) because of the amount of blood that would be gushing from my hand.  The point is that nobody thought that it would actually be a good idea to test something like this.  What kind of crazy person would do such a thing?  But nobody stopped me, because I appeared authoritative and I actually succeeded in manipulating people into not protesting.  It’s not that I have any sort of special ability (if I were in the audience I would be the exact same as everyone else), it’s that the fear response does not respond to logic when higher levels of it are induced.

That was the crux of my presentation.  I will go into more details about the psychology of spamming in future posts.


Skip to main content