Arrow back

The psychology of authority in phishing (and how to stop it)

14 March, 2024

You've heard the warnings: don't click suspicious links, be wary of urgent emails, and never share your password.

Yet, even the most tech-savvy individuals fall victim to phishing scams. Why?

It’s because phishers don't just rely on technical trickery; they exploit a powerful human instinct: our inherent trust in authority.

Imagine receiving an email from your CEO or bank demanding immediate action.

The pressure mounts and you might find yourself clicking a link or opening an attachment without thoroughly scrutinising it.

Our vulnerability to authority and time pressure is what phishers leverage to steal sensitive information and wreak havoc on organisations.

Phishing attacks are the most common cyber threat, costing businesses an estimated $23 billion globally in 2023.

But why are these seemingly obvious scams so successful? The answer lies in a powerful psychological phenomenon: the allure of authority.

This blog delves into the psychology behind phishing and the allure of authority. We'll explore real-world examples, examine the impact of these attacks, and ultimately discuss why cybersecurity awareness training is crucial for every organisation.

Let’s dig into it.

Everything you need to know about authority in phishing

The allure of authority

Phishers don't just throw random titles around. They meticulously craft their emails to mimic trusted sources, often impersonating:

  • Banks and financial institutions: "Your account has been flagged for suspicious activity. Click here to verify your details."
  • IT departments: "Important system update required. Click the link to avoid disruptions."
  • Government agencies: "Urgent tax notification. Download the attached document for further details."

Phishers exploit a cognitive bias called the "asymmetry of power" by masquerading as entities we're conditioned to trust.

We tend to perceive those in authority as having superior knowledge and expertise, making us more likely to comply with their requests, even if presented in an unusual manner.

This exploitation of trust isn't a new idea. In the infamous 1961 Milgram experiment, psychologist Stanley Milgram demonstrated how readily individuals comply with authority figures, even when instructed to administer supposedly harmful shocks to another person.

This experiment highlights the power of authority and its potential to override our moral compass in certain situations.

Furthermore, phishers leverage the power of social influence.

Humans are inherently social creatures, and seeing others succumb to authority figures (even a fabricated one in an email) can increase our own susceptibility.

Imagine receiving an email seemingly from your CEO or manager, urging immediate action. It's easy to see how even the most vigilant individuals might fall prey to such tactics.

The urgency factor

Phishing emails often employ urgency tactics to heighten the sense of fear and immediacy.

Phrases like "urgent action required," "account suspension risk," or "limited-time offer" create a sense of time pressure, bypassing our rational thinking and pushing us to click the malicious link or open the attachment.

This tactic exploits our natural mental shortcuts, where readily available information (like the urgency mentioned in the email) is more persuasive than seeking out additional evidence.

When authority and urgency combine

In a meta-analysis of Bob’s Phishing campaigns, we revealed that when phishing emails look like they’re from an internal source and threaten a danger, like those outlined above, phishing success rates can hit a 94% click rate.

It’s an astonishing reminder that no matter how aware of phishing threats we believe ourselves to be, the right combination of elements can bypass our internal defences.

Why cybersecurity awareness training is your ally

While the tactics may seem simple, the consequences of falling victim to a phishing attack can be devastating.

Data breaches, financial losses, and reputational damage are just some of the potential repercussions.

This is where cybersecurity awareness training steps in as your organisation's shield against these threats.

Here's how training empowers your employees:

  • Demystifying the tactics: Training equips employees with the knowledge to identify the red flags in phishing attempts. They learn to recognise suspicious sender addresses, generic greetings, poor grammar, and illogical urgency.
  • Empowering critical thinking: Training goes beyond just identifying red flags. It encourages employees to question everything, verify information with official sources, and avoid clicking suspicious links or opening attachments.
  • Building a culture of security: By creating a cybersecurity awareness culture within your organisation, you foster open communication, allowing employees to report suspicious emails and seek clarification when unsure. This collaborative approach strengthens your overall defence against cyber threats.

Remember, cybersecurity is a shared responsibility.

It's not just about the latest technology; it's about empowering your workforce to be the first line of defence.

By investing in cybersecurity awareness training, you equip your employees with the knowledge and skills to navigate the ever-evolving digital landscape safely.

Understanding the psychology behind phishing tactics, particularly the allure of authority and urgency, is crucial for proactively protecting your organisation.

By prioritising cybersecurity awareness training, you empower your employees to become active participants in keeping your valuable data and systems secure. Want to learn about our cybersecurity solutions that will actually engage your employees? Click here to find out more.

Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
Global Cyber Alliance