Phish detection and the human psyche
Josh had just come from a meeting with a supervisor whom he was eager to impress. When he got back to his desk, he saw he had received an email from her, asking him to open a file. To open it, he had to enter his Michigan Medicine credentials, but he didn’t think anything of it because the message seemed urgent and he was desperate to make a good impression.
Two hours later, he was fielding messages from several of his email contacts who had received similarly urgent messages from him asking for their credentials. He had been phished! The attackers had control of his account until he was able to change his password.
There’s one vulnerability that encryption, firewalls and identity and access management cannot remove: human emotions and behaviors.
The fascinating thing about phishing is that it doesn’t require exploiting a computer code, but rather exploiting human emotions. If you can catch a frazzled person with an urgent message at a weak moment, the attacker is golden.
Phishing emails are successful when people are in situations that cause them to be reactive or feel strong emotions. They can work on busy people who have a compelling reason to quickly comply with requests. Phishing plays on the human psyche!
Here are the takeaways:
- Take a minute to read emails.
- Don’t click links you aren’t sure of.
- Don’t enter Michigan Medicine credentials into third-party websites.
In other words, be a human firewall!
If you suspect an email is phishing, report by clicking the Report Phishing Button in Outlook. If you are a mobile user, forward the email to ReportPhish@umich.edu.
Additional information can be found on Safe Computing by clicking here.