Don't think that we’re encouraging upstanding marketers to take up phishing. That sort of criminal activity is “extremely dishonorable,” as the late Damon Runyon would say.
But there may be some lessons for legitimate business people in the top phishing tactics. These are explored in a new study written by Carnegie Mellon University's Prashanth Rajivan and Cleotilde Gonzalez, funded by the Army Research Laboratory and published in Frontiers in Psychology.
Start with a sense of urgency. In studying groups of pretend authors and recipients, the authors were surprised to find that “communicating failure -- such as fake emails communicating failed password attempts -- was one of the most successful phishing tactics which demonstrates how susceptible we may be when it comes to avoiding personal losses," Rajivan states.
On the other hand, offers of deals and illegal materials and using a positive tone were less effective.
The most successful strategies -- those most likely to drive a response -- are as follows:
Sent notifications would likely to communicate failure in an effort to stimulate loss aversion. “People may be more averse to accept failure and more willing to take actions on emails that involve possible losses,” Rajivan and Gonzalez write.
In addition, “phishing emails that use friendly- and authoritative-tone, may evoke peoples' inherent tendency to trust emails with such rhetoric,” they continue. On the other hand, “emails that involve unsolicited deals and sale of illegal materials may be ineffective given the familiarity of participants to these type of emails.”
What’s more, “people may be less receptive to strategies known to be associated with scams which were effective a decade ago.”
The research also took a look at how phishing artists think (or at least those pretending to be criminals in exercises conducted for this study).
The best results occur when these creatives use the same subset of strategies in multiple attempts. Those who wandered the field are less successful. The reason?“ It is possible that too much exploration with different kinds (of) strategies could be inhibiting individual's ability to repeatedly improve the email text such that it reflects the strategy effectively,” the authors write.
That said, “phishing effort is largely determined by individual creativity of the attacker as well as by the incentive structure.
Here’s one more insight, in case you were wondering: creative individuals “have higher ability to self-justify their dishonest actions.”