Phishing is considered one of the most prolific cybercrimes affecting individuals, companies and large institutions. Basically, it consists of supplanting the identity of a person or a brand/company through different media based on new information technologies.
The objective is to trick the recipient of a phishing email into providing confidential information used subsequently to carry out a financial scam. The basis for this cybercrime is none other than the main problem posed by the internet: distinguishing the true from the false.
We can identify several types of Phishing, depending on the media:
- Deceptive Phishing: The user receives an email in which the cybercriminal pretends to be a trusted company in order to obtain confidential information, usually banking information with which to steal money. Sometimes, the email includes a link that redirects to a malicious site. It can be a cloned page whose URL is almost identical to that of the legitimate site. This is the system par excellence because it allows the use of more elements to create the deception: text, images, data...
- Smishing: The cybercriminal usually pretends to be a trusted company and sends an SMS informing the user that they have won a prize, or offering them some kind of advantageous service. The objective is to trick the user into clicking on a link or downloading software that will ultimately steal their information.
- Vishing: The cybercriminal uses voice calls posing as a supplier, operator, a support center, a bank, etc. with the aim of collecting certain personal information with which to later create the scam.
The fight against this type of crime has begun and cybersecurity companies try to generate antiphishing systems with the aim of identifying those communications or websites that may be false. For their part, cybercriminals try to innovate so that their emails, text messages or calls are increasingly credible for users and get through the filters created by these antiphishing systems.
As mentioned before, phishing is based on the possibility of “cloning reality” made possible by the internet; a virtual space removed from the physical identification that the “analog world” allows us. When we enter the bank branch we've used for years, we are sure that we are entering our real bank, that the physical space and the people who serve us are real and belong to our bank. The papers, advertising or teller window staff are recognized by us as authentic. However, these certainties disappear in the virtual world. When we enter our bank online everything changes. It is true that we recognize the logos, domains and even the appearance of our bank's website, but can we be completely sure that this place is authentic?
On the other hand, successful phishing requires the victim's participation. The user who receives the email, the SMS or the call must be deceived and persuaded to carry out some behavior: to log in to their bank online, click on a link, download a file.... This requires a series of cybercriminal strategies that we have talked about in prior posts, which try to use so-called “social engineering” and psychological persuasion processes to make the victim take the bait and carry out the behavior intended by the cybercriminal. We need to influence the victim, prime them for action. To do this, cybercriminals must initially achieve a situation of trust and credibility that makes the person think that they are reading an email from their bank, from their internet provider, their insurance company…. From there, the phishing attempts to generate two situations:
- Reward: The user can get some benefit, a prize, money, savings…. This generates a feeling of happiness that drives the person to do what is necessary to obtain the reward.
- Punishment: The user may suffer some loss or damage if they do not take action. Your bank account may be blocked, you may lose money, your insurance may be suspended.... This generates an emotion of fear that leads the person to act to avoid this punishment.
With all these elements, cybercriminals have to work harder every day, innovating in website cloning, simplifying and reducing the victim's required interaction and improving the ability to mobilize users; to motivate them to act, as it were. It is a task that, in a way, is very similar to those used by brands through their marketing to get customers to buy their products. Brands also seek to build credibility and trust and need to implement the principles of psychological persuasion we talked about in another post.
It is in this sense that the phishing phenomenon can use some strategies derived from marketing, consumer psychology or even advertising to improve its success rates. It should be remembered that, although phishing attacks are usually massive, cybercriminals must increasingly use a spear phishing approach that individualizes victims and decreases false positives that can put the attack campaign at risk.
It is in the strategy to increase victim mobilization that phishing may resort to one of the most controversial elements in advertising and marketing: the use of subliminal messages.
In 1957, the publicist James Vicary showed a curious way to increase sales of certain products, specifically Coca-Cola and popcorn. To achieve this, he went to a movie theater and he inserted a frame where you could read "eat popcorn" and "drink Coke" into a movie being screened. This frame had a special feature. It was shown on the screen with a duration that meant that the viewer could read it without being aware that he or she was doing so. This is what is called a subliminal message.
A few years before, Shannon and Weaver proposed the Information Processing Theory, a theory that argues that "man is an information processor, whose fundamental activity is to receive information, process it and act accordingly." For this there are two types of stimuli: the supraliminals, which, after being perceived, reach the cerebral cortex and are consciously processed by the subject; and the subliminals, which are also perceived, but do not become conscious for the subject. To put it simply, we are aware that we perceive a certain image or sound when it exceeds limits of intensity and duration. Stimuli that do not exceed these limits are perceived, but we are not aware of them. They both influence us at the level of information processing. That is, both generate responses. It is assumed that, in Vicary's case, his subliminal message caused viewers who were thirsty and hungry to buy Coke and popcorn.
Although there is a lot of scientific controversy about them and they are even banned in many countries, subliminal messages are a marketing element widely used in advertising. Many brands use graphic compositions or subliminal text in their ads to influence users and make the product more recognized, remembered, appealing.... In a way, the objective of this "covert" advertising is to persuade users without their being aware of it, leading them to think they have chosen popcorn instead of a hot dog on their own.
Now, what would happen if subliminal messages were included in phishing content? Could they contribute to that necessary persuasion of the victim? Consider the content of a phishing email or the interface of a cloned website where certain text or images could be inserted subliminally to enhance credibility or to influence the reward or punishment processes mentioned above. Can you get a higher click rate on a link using subliminal messages?
In this post we are not going to give more clues to cybercriminals, but as cybersecurity suppliers we must try to be one step ahead of criminals, or at least be in step with them, in order to propose and generate security measures. We can also deactivate subliminal messages or eliminate their influence if we know what they are doing. In the case we mentioned of Vicary, the increase in the sale of Coca-Cola and popcorn only occurred in those spectators who were thirsty or hungry during the film. That is, those who already felt a need. If the film had been screened after eating or a Pepsi had been given to each viewer upon entering the room, the subliminal messages would have had no effect.
In this sense, antiphishing systems must implement measures and filters that also take these elements into account. Automatic image download blocking systems in emails is one simple method to prevent any subliminal message from reaching us.