PhotoHere's a number that might take a second or two to digest: in 2014 there were about 400 million successful cyber-attacks in the U.S.

That's more than the U.S. population, estimated to be nearly 319 million last year.

“That means everyone in the country may have been breached,” said Arun Vishwanath, an associate professor in the Department of Communication at the University at Buffalo and an expert in cyber deception. “Everyone. Including me and you.”

What is particularly dangerous is something he calls “spear phishing.” That's a tightly targeted, malware-carrying attack that sends links or attachments in what often appear to be genuine-looking email messages.

Spear phishing

These messages bear the imprint of a known or trusted organization. Maybe your bank, the electric company, or government agency.

When a recipient clicks on a link or attachment, he or she launches the malware – intrusive software that runs programs in the background that can cause all sorts of mischief.

A great deal of time and effort has gone into educating consumers about phishing threats, and why they shouldn't click on links in suspicious emails. Yet, consumers continue to do it.

Vishwanath says this training ignores users’ habits and instead focuses exclusively on how users process information. He's compiled a research report that examines these email habits and phishing outcomes.

“The findings point to a joint operation of habits and information processing, something that most social scientists have ignored,” Vishwanath said. “We can’t just focus on one aspect of that use, yet that’s what we’re doing and it explains why phishing is successful.”

Taking advantage of habits

Hackers have figured it out, Vishwanath says. Their phishing schemes work because the perpetrators take advantage of people who are habitual in the way they respond.

He says email systems, especially when accessed on mobile devices, are built around user habits.

"They encourage users to repeatedly check for messages, establishing routines that turn their devices into a casino game, with users opening emails like reckless gamblers habitually pulling the arms of slot machines without thinking of the long-term consequences," Vishwanath said.

In the meantime, spear phishing is successful 17% to 35% of the time, which is highly damaging when you consider how many phishing emails go out each day.


Being able to recognize a phishing email is a first step to avoiding this scam. Microsoft has some advice and has dissected an example. But in the end, this might be enough.

Vishwanath says his research suggests that the training, which teaches people to recognize suspicious emails, is based on the presumption that the phishing problem can be accounted for by information processing.

It can't, he says.

Share your Comments