Take 5 minutes to think about a message before you respond!

Modern scammers prey upon your anxiety and depend upon your instant reaction. They want you to be worried about what will happen if you don’t respond immediately...Will you be reprimanded? Will you lose your job? Will someone else lose out? Sometimes they ask for an additional means of communication to isolate you from the safety of the WPI herd. The 6 Principles of Persuasion below detail their tactics and show them at work in real phishing samples.

Recent examples we’ve seen at WPI in varied media include:

  • Twitter bitcoin scam using celebrity accounts to promise victims a 100% return on their investments.
  • CEO Fraud, where an email appears to be from an administrator or supervisor, and asks you to send money or purchase gift cards (See Related ArticleEmail Fraud VIP Impersonation Warning.) 

This is where you take 5 minutes to diffuse your reaction, take yourself out of “fight or flight” mode, and look at the message logically.

  1. When was the last time you had a job duty that required you to respond with finances or a purchase within very short time frame?
  2. Have you asked anyone else about this? Contact a co-worker or the supposed sender (not by forwarding or replying to the original message in question). Use a different channel to reach them, so if you received email, give them a phone call or speak in person.
  3. Does this appear to have been sent from a WPI account, but [EXT] starts the Subject line? That indicates it originated outside of WPI. (See Related ArticleExternal Email Subject Marker.) 
  4. Have you checked with WPI IT? Suspicious emails can be forwarded to phishing@wpi.edu to be evaluated by the Information Security team. (See Related Article, Report Phishing.)

We are not in an emergency room! It is OK to spend a few minutes assessing the email situation prior to responding. You can read more from takefive-stopfraud.org in Actions.

  • 6 Principles of Persuasion

    The factors that influence decisions are the same, whether used for ethically for good purposes, or criminally by scammers. Influence at Work - Principles of Persuasion (Actions) provides thorough explanations for each.

    1. Reciprocity - we want to give back
    2. Scarcity - we don't want to miss out
    3. Authority - we pay more attention to those we consider credible and experienced
    4. Consistency - we are more willing to commit to something similar to what we've done before
    5. Liking - we like commonalities and compliments
    6. Consensus - we care what others think and do

    How does this translate to phishing attempts?

    The Twitter phish mentioned above depends upon scarcity. You can get your share of the money, as long as you act quickly before it runs out!

    Twitter quote "I'll double any... payment sent... for the next hour."

    Authority is the key ingredient for CEO Fraud emails. 

    CEO Fraud Email Example
    1. The sender's actual address is not @wpi.edu
    2. [EXT] in the subject means the email was sent from outside WPI
    3. The real WPI email address appears within the signature to distract you from the actual sender's non-WPI address above

    These phishing attacks are not technical, but instead use social engineering to achieve the attacker's goal. Unlike traditional phishing scams, spoofed emails used in CEO fraud (aka Business Email Compromise) schemes rarely set off spam filters because these are targeted phishing scams that are not mass emailed.