Of course, you must have seen them pop up in your mailbox, those scam emails telling you to log in to your online banking account, or else… Research shows that a commandeering tone makes phishing emails more effective than those crafted with a more neutral tone.
This is borne out by research conducted by the University of Twente. Subjects were asked to assess a selection of emails. They had to say out loud what they noticed about the messages. They thought it was all part of marketing research. In reality, though, the researchers were particularly interested in the email features that the subjects mentioned to test the email for reliability.
More test subjects clicked on a link in the email if the message was written in a commandeering tone. They explained that “they felt” that the email seemed more reliable than an email that contained a neutral message. A compelling message even prompted some subjects to click away splash screens warning them about this dangerous email. They ignored a pop-up with the warning ‘beware!’
Earlier research had shown that people tend to pay less attention to the use of language in compelling emails than in more neutral emails and thus fail to notice any spelling errors or other red flags.
Gut feeling instead of proof
There are all kinds of technical features that can help recipients identify phishing emails. Examples are the email address used to send the email or the links given in the message.
Yet many recipients of emails tend to use their gut feeling when assessing the reliability of these messages, says researcher Elmer Lastdrager. ‘They tend to resort to guesswork instead of looking for hard evidence’, says Lastdrager. ‘Take, for example, the compelling or threatening tone that is often found in phishing emails. That should arouse your suspicion immediately. No reliable organisation would ever communicate with its customers like that.’
Lastdrager is to defend his PhD on Friday, 9 February, with the thesis From Fishing to Phishing. In his research, he used emails sent to firstname.lastname@example.org.