Hackers want you to be happy. People in a good mood are easier to trick, research says

A study from the University of Florida looks at the psychology of phishing emails and when you’re most likely to click on that link.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

The study, presented by researchers from Google and the University of Florida, found that hackers used psychological tricks to get people to click on malicious links.

Angela Lang/CNET

Being in a bad mood can have its benefits. Like keeping you safe from hackers.

Researchers at the University of Florida and Google studied the psychology around phishing emails and how hackers take advantage of human nature to tempt people into clicking on malicious links.

UF Professor Daniela Oliveira, who led the study along with Dr. Natalie Ebner, presented the research at the Black Hat cybersecurity conference in Las Vegas on Wednesday. Oliveira was joined by Elie Burszstein, who leads Google's anti-abuse research team.

Phishing attacks are an online scourge in which hackers pose as legitimate institutions in the hopes of getting personal information, such as passwords. Phishing, which usually occurs via email, is the leading cause of data breaches, according to an annual report by Verizon. Google blocks about 100 million phishing emails every day, Burszstein said.

Phishing campaigns change quickly. Some morph in as little as seven minutes, he said.

"Attackers keep changing and updating their designs to make them more efficient," Burszstein said. "They quickly adapt and keep the number of targeted users low. This makes it really hard to detect."

Phishing has become so sophisticated that most people are susceptible to attack unless they have multi-factor authentication enabled. Though phishing attacks are easily detectable, they're also effective. As Amazon chief technology officer Werner Vogels said at the Amazon Web Services Summit, "there's always that idiot that will click the link."

Oliveira's study suggests that you aren't an idiot if you click on a phishing link. You're just human.

Over the course of the three-week experiment, 158 participants, who were told they were participating in research about how people use the internet, would get a phishing email once a day. Researchers would track whether they clicked it. The emails were based on real phishing campaigns that Google had detected.

Phishing emails are crafted to exploit human nature. They rely on people making quick decisions without thinking, almost as if clicking on the link were a reflex and not a cognitive decision, she found.

"We are susceptible to phishing because it tricks the way our brain makes decisions," Oliveira said.

When it comes to decision-making, our brains can work in two ways, the researcher said, referencing the dual process theory. Your brain works automatically for daily activities, like brushing your teeth. Big decisions, like buying a house, take a lot of deliberation and thought.

Clicking on email links falls into the former camp, and hackers rely on that fast decision-making to phish victims, she noted.

It doesn't help that roughly half of the internet users that Google surveyed in the US, the UK and Australia don't know what phishing is, Burszstein said.

That means Google faces an uphill battle to prevent phishing attacks. The tech giant plans an awareness campaign.

Luckily, we all have psychological protection that works in the background. Oliveira said that people with high levels of stress are better at detecting deception like phishing emails, and more skeptical of online scams. It's why some phishing campaigns use psychological triggers to get people in a good mood, she said.

"Nobody is telling anybody to be in a bad mood and stressed out all the time," Oliveira said. "Just keep in mind that when you are in a good mood, your guard is down."