Why do we fall for phishing attacks?
20th June 2025
In a recent report 92% of businesses* admitted to falling victim to phishing attacks: how can you and your colleagues ensure that you won’t be manipulated?
Although phishing attacks rely on advanced technology to convince you to hand over your credentials, the reason phishing attacks work is due to social engineering. By manipulating people, bad actors can convince victims to give out details that in normal circumstances they would know not to.
So, why does it work? We unpack the psychology behind the methods utilised in phishing and make suggestions that may help you to be aware of how you are being manipulated and how to counteract it:
Urgency: a lot of phishing attempts will have deadlines on them to encourage victims to act quickly, and, importantly, not to think about the information they are handing over.
Authority: if we see an email that appears to be from an authority figure – i.e. government personnel or high-level employees within a company – we are more likely to respond to it without properly considering the action, as we fear significant consequences if we don’t.
Reciprocity principle: if a scam email says “log in to claim a free gift card” or something like that, we are more likely to respond because we feel like the sender has done us a favour, so we should repay it.
Scarcity effect: another offer incentive – a tactic that uses greed rather than fear to manipulate people – lines like “only a few places remain for this exclusive offer” are designed to make us want a thing more because there is less of it available.
Social proof: if you are told on a phishing email that somebody else you know has already submitted a form, you are more likely to trust the sender if you trust the name mentioned.
All these methods rely on manipulating your senses fear, urgency or curiosity: don’t fall for it! Remember to always stop, go over our checklist for spotting phishing attempts and consult with your IT provider before you click on anything suspicious.
If you’d like any advice preventing phishing attacks, please contact Interfuture Systems.