How Phishing Exploits Human Behaviour

How Phishing Exploits Human Behaviour

Phishing remains the most prevalent initial access vector in cyber attacks, not because technical defences are absent, but because attackers have learned to exploit predictable human psychology with remarkable precision.

The Six Principles of Influence

Robert Cialdini's six principles of influence — reciprocity, commitment, social proof, authority, liking, and scarcity — are the psychological levers that phishing attacks pull.

Authority: "This is your CEO. Transfer the funds immediately." Emails appearing to come from executives, regulators, or IT departments trigger compliance instincts.

Urgency and scarcity: "Your account will be suspended in 24 hours." Time pressure short-circuits careful thinking.

Social proof: "Your colleagues have already updated their credentials." Normalising the action reduces resistance.

Fear: Threat of consequences — account closure, legal action, security breach — overrides rational evaluation.

Spear Phishing

Generic phishing casts a wide net. Spear phishing is targeted — attackers research their victim on LinkedIn, company websites, and social media to craft a highly personalised and convincing message. These attacks are significantly more effective and harder to detect.

Defending Against Phishing

• Slow down before clicking any link or opening any attachment.
• Verify unexpected requests through a separate, trusted channel (call the person directly).
• Check the sender's actual email address, not just the display name.
• Report suspicious emails — do not just delete them.
• Participate in phishing simulation training to build recognition skills.