By: RekaRius; Asia University
Abstract
Phishing attacks are a combination of technological sophistication and human psychological manipulation techniques designed to deceive victims into complying with the attackers’ wishes. this study is grounded in a literature review that explores diverse cases of phishing attacks and the psychological manipulation techniques applied within these attacks to mislead victims.
Keywords Phishing Attack, Psychological Techniques
Introduction
Phishing in nature is a type of social engineering that exploits human vulnerabilities [4]. The most notable social engineering attacks rely heavily on human psychology. As such, understanding the subtleties of human cognition becomes as essential as mastering the intricacies of the digital realm. It is one thing to crack a code or bypass a firewall, but convincing a human mind to willingly give up information is a testament to the potency of psychology in the hands of a skilled manipulator [3]. understanding the psychological techniques used in phishing is crucial, as these techniques form the core of phishing attacks by significantly enhancing the effectiveness of deception [3]. This article presents a comprehensive analysis of the psychological techniques employed in social engineering.
Principles of Persuasion
The principles of persuasion are properties of the offender that can influence the target’s behavior, increasing the odds of compliance to the offender’s favor [1]. The principles constitute the following Cialdini [2]: reciprocity, scarcity, authority, commitment & consistency, liking, and conformity (social proof/unity). Table 1 presents this model of principles of influence from Cialdini and the definitions and interpretations of the principles.
Principles | Definitions and Interpretations |
Reciprocation | “The Old Give and Take. . . and Take” (p. 13). To appeal to one’s feeling of the obligation to return favors from others. |
Consistency | “Commitment and Consistency” (p. 43). To appeal to one’s be- havioral consistency with prior commitments, decisions, and be- haviors. |
Social Proof | “Truths are Us” (p. 87). To appeal to people’s tendency to follow the suit or use the majority behavior as benchmark or reference. |
Liking | “The Friendly Thief . . . As a rule, we most prefer to say yes to the requests of someone we know and like” (p. 126). |
Authority | “Directed Deference” (p. 157). To appeal to human and social tendency to obey people in authoritative positions with implied penalty for disobedience. |
Scarcity | “The Rule of the Few” (p. 178). To appeal to one’s feeling of more value to things and opportunities with limited availability, urgency, and possible loss for missing out. |
Table 1: Cialdini’s Principles of influence and their definitions.
Implementation of psychological techniques in real-life phishing attacks
This section is divided into two parts, namely the discussion of the psychological techniques employed in Research Paper 1 and Research Paper 2.
Research Paper 1 (Suspicious minds: Psychological techniques correlated with online phishing attacks)
This research [3], performed exhaustive research across established search engines (e.g., Google, Bing, DuckDuckGo) using targeted keywords such as ”no- table phishing attacks,” ”phishing email attacks,” and ”phishing incidents.” For each identified attack, then determined which psychological techniques were employed. In 2016, Snapchat faced a phishing email attack that exploited the Authority psychological method. The target was an HR employee, and the at- tacker pretended to be the CEO (Authority), asking about employee payroll information.
Speaking of the Department of Labor (DoL), in January 2022, it faced a phishing attack using the techniques Authority, Reciprocity and Scarcity. The attackers imitated the DoL (Authority) to send emails asking recipients to submit their bids on a government project (Reciprocity) in an urgent man- ner (Scarcity). The recipients were redirected to a Microsoft Office 365 email login page after clicking the bid button, which stole their credentials.
In 2019, an unnamed UK-based energy firm received a vishing at- tack (simi- lar to phishing but via phone) using the Authority technique. The CEO received a phone call from an individual that sounded exactly like his boss (Authority),
who was the chief executive of their parent company. The audio was constructed using deepfake technology, using AI to construct speech samples segments on existing speech samples. The CEO was instructed to transfer 243 thousand dollars to a fraudulent account that was allegedly a Hungarian supplier.
In 2016, an aerospace parts manufacturer “FACC” faced a phishing attack using the Authority technique and suffered a loss of 42 million dollars when the attackers studied the CEO’s writing habits and impersonated his writing style (Authority) to request fund transfers from employees in the finance department. In 2015, a US-based tech company “Ubiquiti Networks” was de- frauded 46.7 million dollars through spear-phishing using the Authority technique. The perpetrators impersonated company executives (Authority), in order to trick employees into transferring funds to accounts they controlled.
Perhaps the most prominent and high-profile case of corporate fraud is the 100 million dollar Google and Facebook Spear Phishing Scam, that employed Authority, Reciprocity, Commitment & Consistency and more specifically the Foot-in-the-door (FitD) approach. This scheme started in 2013 and went on for 2 years. The perpetrator set up a fake computer with a name that resembled a company that was a known hardware supplier to Google and Facebook (Au- thority). Using forged email addresses that appeared to be from the newfound company, the attackers sent emails to request payments for non-existent sup- plies and services (Reciprocity). This process was carried out repeatedly for the duration of the attack (Commitment & Consistency, FitD). Table 2 highlights the techniques employed in each of the most notable phishing attacks
Phishing attack | Year | Psychological technique used |
Snapchat Employee Data Leak | 2016 | Authority |
DoL Email Impersonation | 2022 | Authority → Scarcity → Reciprocity |
Deepfake CEO Fraud | 2019 | Authority |
FACC CEO Impersonation | 2016 | Authority |
Ubiquiti Networks Spear-Phishing | 2015 | Authority |
Upsher-Smith Laboratories CEO Scam | 2014 | Authority |
Google and Facebook Spear Phishing Scam | 2013–2015 | Authority → Commitment & Consistency: FitD → Reciprocity |
Table 2: Examples of phishing attacks and psychological techniques used.
Research Paper 2 (Psychological Tactics of Phishing Emails)
This Reseach [4] research uses the case study methodology to analyze selected phishing cases from the Phish Tank database published by the information security office of University of California at Berkeley. The Phish Tank database collects and publishes examples of real-life phishing emails at the Berkeley cam- pus dated from 2016 to 2023. The selected cases of phishing are real-life phishing cases from the Berkeley Phish Tank involving different types of tactics or psychological principles to manipulate and persuade email users to become victims of phishing attacks. The 10 selected phishing emails for this study are of different years and include various subjects of potential interest to users, ranging from offers of paid work opportunities to urgent requests for compliance. The case study approach will use the adopted model of psychological principles of influence by[2] to analyze the phishing emails to identify the phishing tactics and map them to specific psychological principles.
The phishing email of 2023 involves psychological tactics reflecting the principles of Liking, Authority, and Social Proof for influence and victimization. The tactic of using a named professor from the Department of Computer Science shows the principle of Liking to manipulate potential victims to say yes to someone known to the public. Using the official title, department, and the university in the signature reflects the principle of Authority to appeal to people’s obedience or deference to authority. This phishing email also repeatedly emphasizes the convenient feature of working virtually or remotely for this job offer, which reflects Cialdini’s principle of Social Proof as people are increasingly receptive to and prefer working virtually for convenience and health concerns after just going through the Covid-19 pandemic.
The phishing email of 2022 shows the psychological tactics appealing to the principles of Reciprocation and Consistency. The emphasis on the successful renewal and update of the NORTON 360 TOTAL PROTECTION is to high- light the service provided. The charged amount and the invoice details indicate the logical obligation to pay for the service provided in the principle of the reciprocation. The emphasis on Annual membership appeals to the psychological principle of consistency for sticking to the regular behavior and commitment as a member.
The phishing email of 2021 demonstrates psychological tactics appealing to the principles of Reciprocation, Scarcity, and Authority. The Reciprocation principle is shown in the trade-off between the user’s need to be able to send and receive emails as an essential daily function and the perceived obligation to click the link to validate the user account. The phishing tactic also appeals to the principle of Scarcity by imposing the urgent deadline of “within 72 hours” for validating the account and the penalty of losing account access if the deadline is not followed. The phishing mail also uses “Mail Admin” in the signature as an additional tactic to appeal to the user’s trust and obedience to Authority.
The phishing email of 2020 reflects psychological tactics appealing to the principles of Reciprocation, Consistency, Authority, and Scarcity. Reciprocation is shown in the trade-off between the provided consultation service to answer your retirement benefit questions and your obligation to respond by clicking the link or reply to the email. The emphasis on the annual service “each year” is to appeal to Consistency for sticking to the regular commitment. The use of the well-known institution name of University of California, Berkeley is to appeal to Authority for credibility. The words “secure your spot by clicking the link below” are a tactic of Scarcity to suggest that the availability is limited and at risk and quick response is necessary to secure the opportunity for the service.
The phishing email of 2019 shows psychological tactics appealing to the principles of Reciprocation, Scarcity, Liking, and Authority. Reciprocation is the give and take between responding to the phishing email and getting the paid homework assistant position. Scarcity is shown in the urgent seeking for this position. The email’s appeal to Liking is evident from the description of the position as “flexible” and “requires little to no prior experience” to be attractive to maximum number of people. The detailed signature block with a named Professor at the well-known institution appeals to Authority for credibility.
The short phishing email of 2018 reflects psychological tactics appealing to the principles of Liking and Authority. This phishing email creates the impression that it comes from someone familiar to the target to appeal to the Liking principle to get a positive response. The named sender (removed for publication) and the institution name in the signature block appeal to Authority for obedience.
The phishing email of 2017 demonstrates psychological tactics appealing to the principles of Reciprocation, Authority, and Scarcity. Reciprocation is the trade-off between getting continued access to your library account and the obligation to respond to this phishing email as directed. The contact name (removed for publication) and the institution name in the signature block appeal to Authority for credibility and obedience. The emphasis on your account “expiring soon” appeals to Scarcity for urgency with implied penalty for no response.
There are three phishing emails selected from the data collected for 2016 with different dates. All three emails include psychological tactics to appeal to Authority for credibility and obedience, including using the Chancellor position title, Bank of America, and Office of the Registrar in the signatures. In addition, the email of December 14, 2016 appeals to the principle of Liking as it emphasizes the specific individual of Chancellor Nicholas B. Dirks who is known to everyone in the institution. The phishing email of October 20, 2016 also appeals to the principles of Consistency and Reciprocation. Appeal to Consistency is shown in the email’s emphasis on irregular activity and temporary restriction versus the preferred regular and stable full access. Appeal to Reciprocation is the obligation to respond to this email in return for regaining full access to your account.
Conclusion
This research demonstrates that phishing attacks are a combination of technological sophistication and human psychological manipulation techniques de- signed to deceive victims into complying with the attackers’ wishes. Therefore, efforts to protect internet users from these attacks cannot rely solely on technological aspects. Instead, user education on the psychological factors used in phishing attacks is also necessary, making users more cautious.
References
- Jan-Willem Hendrik Bull´ee, Lorena Montoya, Wolter Pieters, Marianne Junger, and Pieter Hartel. On the anatomy of social engineering attacks—a literature-based dissection of successful attacks. Journal of investigative psy- chology and offender profiling, 15(1):20–45, 2018.
- Robert B Cialdini and Robert B Cialdini. Influence: The psychology of persuasion, volume 55. Collins New York, 2007.
- Ioannis Stylianou, Panagiotis Bountakas, Apostolis Zarras, and Christos Xe- nakis. Suspicious minds: Psychological techniques correlated with online phishing attacks. Computers in Human Behavior Reports, page 100694, 2025.
- Ping Wang and Peyton Lutchkus. Psychological tactics of phishing emails. Issues in Information Systems, 2023.
- Gupta, B. B., Gaurav, A., Arya, V., & Alhalabi, W. (2024). The evolution of intellectual property rights in metaverse based Industry 4.0 paradigms. International Entrepreneurship and Management Journal, 20(2), 1111-1126.
- Zhang, T., Zhang, Z., Zhao, K., Gupta, B. B., & Arya, V. (2023). A lightweight cross-domain authentication protocol for trusted access to industrial internet. International Journal on Semantic Web and Information Systems (IJSWIS), 19(1), 1-25.
- Jain, D. K., Eyre, Y. G. M., Kumar, A., Gupta, B. B., & Kotecha, K. (2024). Knowledge-based data processing for multilingual natural language analysis. ACM Transactions on Asian and Low-Resource Language Information Processing, 23(5), 1-16.
Cite As
Rekarius (2025) Beyond the Code: A Systematic Review of Psychological Techniques in Phishing Attacks, Insights2Techinfo, pp.1