scientists describe the relationship between stress and vulnerability to phishing

According to research Department of Energy’s Pacific Northwest National Laboratory (PNNL), workers who experience some form of stress are more likely to be targeted by phishing attacks.

Scientists have identified a specific form of stress that indicates which employees are more susceptible to malware infection due to interaction with phishing content. The researchers’ work could help employees and their employers strengthen their cyber defenses by recognizing warning signs when someone is about to click on a malicious link.

A study of a group of 153 participants found that the relationship between stress and response to a simulated phishing email was statistically significant.

The authors of the experiment found that people who reported high levels of stress at work were significantly more likely to click on a phishing link in an email. Each increase in stress rating by one point increased the likelihood of getting caught by a phishing email by 15%.

Distress is described by scientists as a feeling of tension when someone at work feels they are in a difficult situation and cannot cope with the task at hand. Stress can come from feeling like the workload is too high, or from feeling like they don’t have enough training or time to do their job.

Note that the participants in the experiment agreed to take part in the study, but they did not know that the phishing email sent a few weeks after the start of the test was part of the study.

The authors emphasized that the phishing emails were well thought out and tailored to the organization. Forgery in such letters was much more difficult to detect than in ordinary letters. phishing.

Each member received one of four different versions of the message about the new dress code that would be introduced in their organization. The team tested three common phishing tactics individually and together.

• Urgency. 49% of recipients clicked on links. Sample letter text: “This policy will take effect 3 days after receiving this notice…confirm changes immediately”;
• Threat. 47% clicked on the link. Sample text of the letter: “… follow the new dress code, otherwise you may be subject to disciplinary action”;
• Authority. 38% clicked on the link. Sample letter text: “According to the Office of the General Counsel…”;
• Three tactics together: 31% of participants followed the link.

When combining three phishing tactics, scientists explain such a low score by the fact that the more tactics used, the more obvious that this is a phishing message. According to them, tactics must be convincing, but there is a middle ground. If too many tactics are used, the user may realize they are being manipulated.

In the future, one of the options for reducing risk may be the joint work of man and machine. If the algorithm notices a change in work patterns that could indicate an employee is tired or inattentive, the AI ​​assistant can email the employee to suggest they take a break.