kras99 - stock.adobe.com

Using psychology to defend against phishing attacks

A healthy dose of judicious skepticism is crucial to preventing phishing attacks, said David Fine, supervisory special agent at the FBI, during a presentation at a HIMSS event.

People are the key to a successful phishing attack, and they are also the key to preventing one, David Fine, supervisory special agent at the FBI, reasoned during a Nov. 1, 2024 session at the HIMSS Healthcare Cybersecurity Forum, held in Washington.

Fine's presentation focused on the psychology of social engineering and how cyberthreat actors take advantage of human nature to successfully execute their attacks.

Phishing and other types of social engineering schemes remain a top cyberthreat in healthcare and other sectors. The FBI's Internet Crime Complaint Center received nearly 300,000 phishing complaints in 2023, more than any other category of internet crime complaints.

An October 2024 alert by the HHS Health Sector Cybersecurity Coordination Center underscored the risk of sophisticated social engineering attacks by exploring the threat of Scattered Spider cyberthreat actors, who have targeted healthcare and other sectors repeatedly. Specifically, Scattered Spider has been observed using AI to spoof the voices of victims and obtain initial access to victim organizations.

A 2024 report by Mandiant found phishing to be one of the most common initial infection vectors. The report noted that contemporary phishing tactics have been able to challenge traditional security paradigms and reach a wider range of people via targeted schemes through multiple mediums.

Despite the known rise in social engineering attacks across the internet, when it comes to phishing emails, Fine said, it is human nature to assume that an email sender is not being deceitful.

"Assuming that an email is a genuine email -- we are wired to think that way," Fine said. "Why would someone send me an email that's lying to me? It goes against a social default position that we are all wired with in every aspect of our lives."

In fact, the best phishing emails do not provoke the recipient to scrutinize it at all.

"When you get a phishing email, it has been carefully crafted to prevent critical thinking. That's the goal," Fine stated.

"They will do that by leaning into the unconscious biases and the heuristics, but also preexisting trust relationships."

Essentially, cyberthreat actors find success in phishing by blending in. In the past, a cautious recipient might have received an email with blatant errors or a strange link and steered clear. Now, hackers are using technology like AI to craft phishing emails that look indistinguishable from a legitimate email, coercing even a skeptical user to click on a malicious link or scan a QR code.

"So the real challenge here is that a phishing email no longer looks any different than any other email that people receive in any other context."

Developing a successful defense strategy against phishing

Understanding the human bias toward trust is the first step in developing successful defenses, Fine suggested. Cyberthreat actors are aware of this bias and might try to exploit trusted relationships and communications by impersonating legitimate people or services.

In terms of defense against this pervasive threat, technology can only go so far. Threat detection technology is highly important, but when faced with a suspicious email in an inbox, it is up to that recipient to make the right choice.

When it comes to phishing, workforce training is essential -- particularly training that leverages these key elements of human psychology.

Fine suggested that employing judicious skepticism is the best defense against phishing emails.

"Really the best defense against phishing emails is teaching people to be judiciously skeptical of the things they receive," Fine said. "Try to fight this bias, because this bias is really the worst thing going for us in this space."

Using human psychology to enhance threat defense rather than hinder it will prove crucial to prevent phishing attacks. In addition to building psychology into security training, Fine emphasized the importance of working with the workforce to prevent phishing.

"So, if someone does something wrong, you have to have a culture where people feel like they're part of the solution and can report it," Fine noted.

When developing an anti-phishing campaign, Fine advised leaders to set up contextually appropriate fake phishing emails that actually simulate ones that a recipient is likely to receive.

"You want to create something that gets a high click rate because you want those learning points. There's nothing wrong with clicking with an email in these campaigns. You learn something about yourself," Fine noted.

Essentially, well-crafted phishing simulation emails can help organizations learn about points of vulnerability and adjust their training as needed to help recipients avoid making the same mistake in the event of a real phishing incident.

Finally, Fine urged the audience to work with the FBI and report incidents in a timely manner.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Next Steps

Kaiser Permanente reports email data breach

Dig Deeper on Cybersecurity strategies