It’s easy to mock horror writers for continually going back to the same tropes, and easier still to say that no one in the real world would do these things. But at IT Governance, we know that fear can do strange things to people – just look at how many people fall for phishing scams. Once you disseminate a phishing email, you can see clearly that it’s a scam, but in the heat of the moment, it’s not so easy.
So when you’re next watching a horror film, don’t dismiss the characters as stupid unless you’re sure that no one in the room is among the many people who are tricked by phishing scams every year. After all, cybercriminals aren’t all that different from cinematic serial killers.
Don’t believe us?
Psycho’s Marion Crane really should’ve realized that Norman Bates was a psycho, given that he talked strangely, acted strangely and lived in a big, creepy house that was miles from anywhere, had peepholes into the bathroom and was full of stuffed animals.
But by that same reasoning, everyone should immediately see that there’s something suspicious about emails that are addressed to “Loyal customer”, are full of spelling mistakes and ask you to click a strange link.
Clearly, that isn’t the case, as phishing scams are more prominent now than ever. There are a number of reasons people ignore suspicious behaviour, but it mostly comes down to feeling under pressure. Given enough time to think about it, the victim would see that it was a trap, but Internet users tend to be in a hurry and are click-happy.
There are two ways that killers and phishers appear: the first is the ‘cattle prod cinema’ of jump scares, loud bangs and sudden reveals.
You might find yourself going about your day when, all of a sudden – ping! – an email from your bank telling you your account has been frozen arrives. You’ve been caught completely off-guard and hurriedly click the link before you realise that it was a cheap, cynical trick.
Then there’s the other way they appear: as a result of the heroes’ curiosity. The criminals lay their bait, which is either a phishing email or, say, a book of incantations that will release an army of the undead if you read it aloud, and wait for someone to stumble upon it.
In both scenarios, the soon-to-be victim knows immediately that there’s something strange going on. But even though they realize that the bait could lead to something terrible happening, there’s also a chance that everything will be fine. Maybe they really have won an iPhone.
Inevitably, they were right the first time. If only they’d deleted the email, closed the book and forgotten all about it, they wouldn’t have brought all this damage upon themselves.
Finding out that the people you know and trust have been replaced by imposters is a terrifying idea, and it’s rightly become a trope of horror films.
But while we wait for Invasion of the Whaling Emails, many people live that film every day. In a typical example, an employee will get an email from who they believe to be their boss, which tells them to send important work documents. What’s actually happened is that a cybercriminal has gained access to the boss’s email account and is trying to misappropriate sensitive information.
The employee might realize that the request is unusual, but chooses to comply with it in case it turns out to be a genuine request. If they didn’t send over those documents and wound up responsible for the organization losing an important contract or missing a deadline, they’d be in serious trouble.
This is what makes imposters so scary: they usually don’t fool people completely. Rather, they make their victims doubt the fact that someone could pull off such a stunt and no one else but them can see it.
In horror films, the wild conspiracy theorist is lucky if they’re not thrown in prison or a mental institution, but they’re always proven right. People who suspect they are being targeted by a whaling email won’t necessarily be right, but they should definitely contact the sender (but don’t just reply to the email) and ask them if it’s a legitimate email.
If Drew Barrymore hadn’t been killed and hung from a tree at the beginning of Scream, she probably wouldn’t have listened to manipulative phone callers again.
Telephone phishing (vishing) is less common than email phishing, partly because it can’t be performed in bulk, but their highly targeted nature can make them more persuasive. A sympathetic voice over the phone is more intimate than an email message, and the scammer can create a much greater sense of urgency.
If long-running horror film franchises have shown us anything, it’s that the bad guys never go away for long. You just knew that when Freddy Krueger was exploded by a pipe bomb (in a film called The Final Nightmare no less), the writers would find a way to bring him back.
And we should take the same attitude to the perennial phishing scams. Every year, countless people get emails that are supposedly from revenue services. The messages tell people that they’re entitled to a large tax refund, and all they need to do is click the link provided and fill in their tax information.