DEV Community


Posted on

📨 Why Phishing Attacks Work

🔐 Phishing is the most common cyberattack vector today, and yet people still fall for it. We look at the causes and possible solutions.

Phishing is a type of social engineering attack, generally delivered by email, with the intent of stealing the target’s login credentials and other sensitive data, such as credit card information or ID scans, to steal their identity.

A noteworthy trait of phishing is the element of surprise: these emails arrive when the victim doesn’t expect them. Criminals can time emails so victims will receive them when distracted by something else, such as work. It’s impossible to be focused on being productive and attentive to suspicious emails all the time, and fraudsters know it.

The emails are crafted in such a way to avoid snapping the victim out of autopilot and comply with the fraudsters’ requests. They may impersonate someone, often entities or colleagues trusted by the victim, and exploit biases we all have as humans to increase the likelihood of compliance.


In my last article, I wrote about how U2F security keys work and how they secure people against phishing. Now, why do we need U2F keys to prevent phishing attacks, to begin with? Do people still fall for the Nigerian prince scam?

According to the 2020 edition of the FBI Annual Internet Crime Report, phishing attacks were by far the most common attack, representing 32.35% of all cyberattacks last year, with 241,342 occurrences registered. This figure increased more than tenfold in the last five years, up from 19,465 in 2015.

Despite improvements made to email filters throughout the years — Google filters out 100 million spam emails per day for Gmail users — phishing attacks are still popular for two reasons:

  1. They don’t require complex expertise to pull off: crafting convincing emails and creating fake websites, and
  2. They are easily scalable, which ends up being much more time-efficient than, for example, trying to break into a server.

It’s frequently said that humans are the weak link in security, and it’s no different from phishing. For example, fraudsters capitalized with great success on people’s fear during last year with the COVID-19 pandemic.

The 0.1% of phishing emails that pass through email filters is still enough to be extremely profitable for scammers, and that they should be doing more of it, which means users should be even more careful in the upcoming years.


Discussion (0)