Your Brain on Phishing

Your Brain on Phishing

Phishing attacks continue to plague individuals and organizations the world over. What makes them so effective? The answer, it turns out, has been inside our heads all along.

Have you seen this? It’s pretty wild. SoFi, the financial company and online bank, asked AI to generate images of “someone who is good with money” or “someone who is good at earning money” or “someone good at investing” – you get the idea. It came back with thousands of images.

Less than 2% of them were of women.

This reminds us how pervasive our cognitive biases are, and how deeply stereotypes shape the world around us. Even our technological tools reflect our deep-seated assumptions!

Everyone knows that biases can be harmful, and that stereotypes paint cartoonish pictures of our complex and nuanced world. But when it comes to hackers, your biases might be more than harmful.

When it comes to hackers, your ideas could easily lead to your downfall – to the loss of your business.

So there’s someone you should meet. Her name is Jessica and she’s a hacker.

Meet Jessica

Jessica Clark is likely not who you picture when you picture a “hacker.” She’s not in a trench coat or hiding behind a pair of sunglasses or within the recesses of a hoodie. She has blonde hair, a constant smile, and an infectious enthusiasm. And she’s about to hack the man sitting across from her.

His name is Kevin Roose and he’s a journalist. They’re at DEFCON, the world’s largest hacking convention, a place so rife with hackers it’s recommended you turn off your phone’s Wi-Fi and Bluetooth while on the premises!

Jessica is what’s known as an ethical hacker – someone who uses their professional hacking skills for good. She works for Social Engineer, Inc., a security firm dedicated to helping individuals and organizations avoid falling for social engineering scams. If you don’t know what social engineering is, you’re about to find out.

“Go for it!” says Kevin. He looks a little uncertain, but he still expresses confidence that his phone company won’t reveal his email to Jessica: “I bet they’re good. I bet they have my back.”

Jessica just laughs and proceeds to dial, ‘spoofing’ Kevin’s number so it looks like the call’s coming from his phone. And this is just the start.

Jessica also plays crying baby sounds.

The customer service rep picks up and Jessica starts to work her magic. She’s ridiculously nice, friendly, charming, apologetic, polite – just a ‘busy mom’ whose husband asked her to do something. She needs to log in to the account but forgot which email they used.

Her tone, her manner, her laugh – it’s an Oscar-worthy performance (watch the video from Fusion here).

It takes just 30 seconds to get the email, but she’s not done yet. Pretty soon she sets up her own access to the account using a fake social security number, and even gets the rep to set up a new password, effectively blocking Kevin out of his own account.

Kevin looks on helplessly, impressed but also … well, horrified.

“Thank you so much for your help today,” Jessica says. She’s a regular ray of sunshine.

Kevin’s now covering his face with his hands, in total disbelief. Jessica hangs up and what Kevin says next couldn’t be more apt:

“Holy s—t!”

Something Phishy’s Going On…

What Jessica pulled off is an example of “vishing,” which stands for “voice phishing.” Phishing is an example of social engineering and it’s one of the most common cyberattacks. Phishing attacks target individuals and organizations with deceptive messages that appear to come from trusted sources. The aim is to get the recipients to click on harmful links, download infected files, or share sensitive data.

You’ve likely encountered a phishing scam yourself. After all, an estimated 3.4 billion spam emails are sent daily, and CEOs receive an average of 57 phishing emails per year.

Cybercriminals are constantly making phishing attempts, trying to trick people into doing things they shouldn’t – like share someone’s email over the phone without verifying the identity of the person calling.

Inevitably, some of these attempts are successful—and that’s putting things mildly: in 2022, a hard-to-believe 84% of organizations in the U.S. fell for a phishing scam.

What’s going on? Why is phishing so effective? How have things gotten so bad?!

Technology is part of the problem, sure. Our technologies aren’t foolproof and everything is hackable. Moreover, traditional signs of legitimacy aren’t entirely reliable. For example, you might have learned to only trust websites with an SSL certificate, which displays as a closed lock icon in your address bar, and “https” instead of “http” before the URL. But a study from 2020 found that 84% of phishing sites have SSL certificates. Yikes.

This is just one example of how good threat actors have gotten at appearing legitimate. We’re not living in the good ol’ days anymore, where ‘Nigerian princes’ would email you with lucrative propositions. Modern scams are highly sophisticated and can be incredibly difficult to spot.

But the primary reason why phishing is so effective doesn’t have to do with technology and its various imperfections. It has to do with us, and our oh-so-hackable brains.

Mind Games

Why did Jessica’s vishing attempt work so well?

She didn’t deploy any cleverly crafted code. She didn’t even touch her keyboard. Her method relied on psychological manipulation, not technological prowess.

It started before Kevin entered the room. Apparently, Jessica and her team put together a 13-page dossier on Roose, which included personal information gleaned from his social media accounts and other online sources. That’s how she knew he was married.

Do hackers really do this? Research individuals like this?

Yes – it’s creepy, it’s unfortunate, but it’s true. Take the recent MGM breach which cost the casino giant $100M. It started with a 10-minute phone call, not unlike the one made by Jessica. The threat actor found an MGM employee on LinkedIn and called the company’s IT help desk pretending to be that person. We can assume they were convincing, charming, polite – just like Jessica.

Jessica’s manipulation continued after the customer service rep answered the phone. She laughed – a lot – and in a self-deprecating way that surely put the service rep at ease. Thanks to “mirror neurons,” hearing Jessica’s laughter likely produced a similar feeling in the rep – perhaps they laughed too. And what does laughter do? Activates pleasure and reward centers in our brain. Lowers stress hormones like cortisol. Facilitates social bonding.

In short, Jessica’s laughter got the rep ‘on her side’ – and not within minutes, but mere seconds.

And let’s talk about the crying baby noises Jessica played. The soundtrack served multiple purposes. It provided a distraction, potentially interfering with the customer service rep’s ability to think deliberately and carefully about the situation. It also likely elicited sympathy and concern from the rep, since we’re hard-wired to respond emotionally to the sound of a baby crying. When we hear a baby’s wails, our brains light up with activity associated with emotional processing and the fight-or-flight response.

Jessica didn’t need to hack the IT infrastructure of Kevin’s phone provider to get his email. She probably could’ve done that, given her skill set, but instead, she chose a much simpler and easier route: hacking the brain of an employee.

What You Can Do

OK, so hackers are really good at manipulating our emotions and psychology to get us to do things we shouldn’t. Hopefully that’s crystal clear by now. But what’s the ultimate takeaway here? That no matter how much cybersecurity we implement, we’re still screwed because of our primitive monkey brains?

No way! We can’t get rid of our human nature, but we can train ourselves and our employees to be more resistant to getting phished.

Perhaps the single most effective strategy you can enlist to prevent you and your employees from getting ‘brain-breached’ is shifting from a subjective to an objective mindset.

As human beings, we rely heavily on intuition, but when it comes to cybersecurity, ‘trusting our gut’ can lead us wildly astray, especially given the fact that hackers deliberately craft their phishing attempts to pass ‘the intuition test.’ Think about it: intuitively, Jessica’s phone call seemed totally legitimate. But it wasn’t.

Bottom line: Phishing scams – at least the ones that work – won’t appear ‘phishy’ (sorry, couldn’t resist). So instead of relying on your intuition to sniff out phishing, use objective clues:

Look for Urgency

Is the message you received trying to create a feeling of urgency? Jessica told the customer service rep that her husband told her to “get this done by today.” Intuitively, that’s a busy mom trying to help her family out. But objectively, it’s a huge red flag.

Actionable Tip: If a message (email, text, phone call, etc.) seems aimed at creating a feeling of urgency, go against your natural inclination to rush and SLOW WAY DOWN. Don’t click, don’t comply, don’t do anything until you’ve had time to truly assess the legitimacy of the message’s source.

Look for Authority

Does the message you received appear to come from an authority figure – your boss, your company’s CEO, a government official, a law enforcement officer? We are hard-wired to obey authority, and threat actors use this against us by posing as people with power. Ironically, if it looks like a message comes from an authority figure, assume it DOESN’T until you can be sure that it does.

Actionable Tip: Verify the sender’s identity independently before taking any actions in response to messages that seem to come from authoritative figures. Contact the organization directly using trusted contact information to confirm the request’s legitimacy.

Look for Links, Attachments, and Information Requests

This is straightforward: if you receive a message containing hyperlinks, downloadable attachments, or requests for your personal information, automatically flag it as suspicious. It doesn’t matter how legitimate it looks, whether it appears to come from a trusted source, or anything else. If it’s got links, attachments, or requests, there’s a decent chance it’s a phishing attempt.

Actionable Tip: To help remember these three specific objective clues, learn this acronym: LInks. Attachments. Requests. What do the bold letters spell out?


That’s because if a message contains links, attachments, or requests, assume it’s coming from a LIAR until proven otherwise.


Finally, use MFA (multi-factor authentication) as an added layer of security. Don’t know what that is? Check out this blog post for an overview.

If a cyber thief obtains your email password through an ingenious phishing scam, MFA will serve as a safeguard, requiring an additional verification step to access your account. We of course recommend our ID 20/20 software, but whatever you do, don’t rely solely on a single authentication method to protect your accounts.


Now, pat yourself on the back because you’ve just read an article that could save your livelihood. This is no exaggeration. The single biggest weakness in cybersecurity is people – and more specifically, our brains. But when you know how cybercriminals use our brains against us, you can know what to look out for.

Thanks for reading – and look out for our upcoming and final blog post in this series, as we continue to share insights and advice in honor of Cybersecurity Awareness Month.

Stay safe out there, everyone!