Most people know enough about horror films to recognise that the victims make the same mistakes time and again. There are the teenagers who follow a creepy noise and walk right into the killer, the couples who ignore warnings about all those strange disappearances in the area and the countless people who suddenly forget how to run away without falling over.
It’s easy to mock horror writers for continually going back to the same tropes, and easier still to say that no one in the real world would do these things. But at IT Governance, we know that fear can do strange things to people – just look at how many people fall for phishing scams. Once you disseminate a phishing email, you can see clearly that it’s a scam, but in the heat of the moment, it’s not so easy.
So when you’re next watching a horror film, don’t dismiss the characters as stupid unless you’re sure that no one in the room is among the many people who are tricked by phishing scams every year. After all, cyber criminals aren’t all that different from cinematic serial killers.
Don’t believe us?
1. They’re clearly suspicious
Psycho’s Marion Crane really should’ve realised that Norman Bates was a psycho, given that he talked strangely, acted strangely and lived in a big, creepy house that was miles from anywhere, had peepholes into the bathroom and was full of stuffed animals.
But by that same reasoning, everyone should immediately see that there’s something suspicious about emails that are addressed to “Loyal customer”, are full of spelling mistakes and ask you to click a strange link.
Clearly that isn’t the case, as phishing scams are more prominent now than ever. There are a number of reasons people ignore suspicious behaviour, but it mostly comes down to feeling under pressure. Given enough time to think about it, the victim would see that it was a trap, but Internet users tend to be in a hurry and are click-happy.
2. They appear from nowhere
There are two ways that killers and phishers appear: the first is the ‘cattle prod cinema’ of jump scares, loud bangs and sudden reveals.
You might find yourself going about your day when, all of a sudden – ping! – an email from your bank telling you your account has been frozen arrives. You’ve been caught completely off-guard and hurriedly click the link before you realise that it was a cheap, cynical trick.
3. They prey on people’s curiosity
Then there’s the other way they appear: as a result of the heroes’ curiosity. The criminals lay their bait, which is either a phishing email or, say, a book of incantations that will release an army of the undead if you read it aloud, and wait for someone to stumble upon it.
In both scenarios, the soon-to-be victim knows immediately that there’s something strange going on. But even though they realise that the bait could lead to something terrible happening, there’s also a chance that everything will be fine. Maybe they really have won an iPhone.
Inevitably, they were right the first time. If only they’d deleted the email, closed the book and forgotten all about it, they wouldn’t have brought all this damage upon themselves.
4. They masquerade as people you know
Finding out that the people you know and trust have been replaced by imposters is a terrifying idea, and it’s rightly become a trope of horror films.
But while we wait for Invasion of the Whaling Emails, many people live that film every day. In a typical example, an employee will get an email from who they believe to be their boss, which tells them to send important work documents. What’s actually happened is that a cyber criminal has gained access to the boss’s email account and is trying to misappropriate sensitive information.
The employee might realise that the request is unusual, but chooses to comply with it in case it turns out to be a genuine request. If they didn’t send over those documents and wound up responsible for the organisation losing an important contract or missing a deadline, they’d be in serious trouble.
This is what makes imposters so scary: they usually don’t fool people completely. Rather, they make their victims doubt the fact that someone could pull off such a stunt and no one else but them can see it.
In horror films, the wild conspiracy theorist is lucky if they’re not thrown in prison or a mental institution, but they’re always proven right. People who suspect they are being targeted by a whaling email won’t necessarily be right, but they should definitely contact the sender (but don’t just reply to the email) and ask them if it’s a legitimate email.
5. They make manipulative phone calls
If Drew Barrymore hadn’t been killed and hung from a tree at the beginning of Scream, she probably wouldn’t have listened to manipulative phone callers again.
Telephone phishing (vishing) is less common than email phishing, partly because it can’t be performed in bulk, but their highly targeted nature can make them more persuasive. A sympathetic voice over the phone is more intimate than an email message, and the scammer can create a much greater sense of urgency.
6. They keep coming back
If long-running horror film franchises have shown us anything, it’s that the bad guys never go away for long. You just knew that when Freddy Krueger was exploded by a pipe bomb (in a film called The Final Nightmare no less), the writers would find a way to bring him back.
And we should take the same attitude to the perennial phishing scams. Every year, countless people get emails that are supposedly from revenue services. The messages tell people that they’re entitled to a large tax refund, and all they need to do is click the link provided and fill in their tax information.
This scam has become such a big problem that Ireland’s Revenue Commissioners, the UK’s HM Revenue and Customs, Spain’s Tax Agency and many others have published guidance on recognising genuine emails. However, as long as the scam keeps drawing people in, criminals will keep going back to it.
Protect yourself from phishing attacks
Once you know about the dangers of phishing, you can go from being Sarah Connor in The Terminator to Sarah Connor in T-2. And like The Terminator, people’s reliance on technology will be their downfall. There is no foolproof technology to prevent phishing, as Mimecast’s third quarterly Email Security Risk Assessment proved. The report found that 24% of all malicious emails pass through spam filters, leaving millions of phishing scams in people’s inboxes every day.
The most effective way to defend against phishing in your organisation is to invest in staff training. Our Phishing Staff Awareness Course uses real-life examples and practical tips to help employees understand how phishing works and how to avoid falling victim.