How Phishing Attacks Trick Our Brains網(wǎng)絡(luò)釣魚如何欺騙大腦

帕特里克·豪厄爾·奧尼爾　陳偉濟

Why youre more of a sucker than you think. 為何你比自己想象的還容易受騙。

Its simple and effective： getting someone to click a malicious link in an email and enter private information such as a password is the most important skill in many hackers toolkits. Phishing1 is the most common form of cyberattack and still growing.

And the reason its so effective， according to research being done at Google and the University of Florida， is that it takes advantage of how the human brain works—and， crucially， how people fail to detect deception， depending on factors like emotional intelligence， cognitive motivation， mood， hormones， and even the victims personality.

“We are all susceptible to phishing because phishing tricks the way our brain makes decisions，” Daniela Oliveira， an associate professor at the University of Florida， said at the Black Hat cybersecurity conference in Las Vegas.

The problems begin with awareness： 45% of internet users dont even know what phishing is， according to Oliveira and Google researcher Elie Bursztein.

Mood plays a role： people who are feeling happy and not stressed are less likely to detect deception in front of them. Cortisol2， a stress hormone， increases vigilance and makes detecting a deception more likely. Serotonin3 and dopamine4， hormones associated with positive feelings， can lead to risky and unpredictable behavior that make people more vulnerable.

Phishers can also be exceptionally good at crafting messages meant to persuade a person to click. Authority is among the most common and effective weapons—for instance， an email that claims to be from the company CEO， asking an employee to provide some information by clicking a link. Other tools include a gain/loss framing—for instance， a refund opportunity from Amazon.

Some of the most pointed phishing emails play on emotion. After the devastating and record-breaking California wildfires in 2018， Google saw an instant wave of emails asking for money to help victims. Emotional cues—for instance， promises to match donations for people left homeless—impaired the recipients ability to focus on the content and the clues that the email was a deception. By triggering this emotional response， the hackers got people to suspend their skepticism.

That doesnt mean the only defense against phishing is to be a permanently stressed-out and cynical ball of anger. Healthier and more effective is to enable two-factor authentication for each of your important logins （email， online banking， social media， shopping sites， etc.）. When its enabled， the system asks you for something in addition to a password when you log in， such as a code sent to your phone via text message， a code from an authenticator app， or a physical security key on a USB stick （the most secure method of all， according to recent research）. That way， if youve inadvertently given your password to a hacker in a phishing scam， they still wont be able to log in to your account. Last year， Google said that fewer than 10% of its users had two-factor authentication enabled on their accounts.

騙人點擊郵件中的惡意鏈接并輸入密碼等個人信息是很多黑客最拿手的伎倆，這既簡單又有效。網(wǎng)絡(luò)釣魚是最為常見的網(wǎng)絡(luò)攻擊，而且日益嚴(yán)重。

谷歌和佛羅里達(dá)大學(xué)的研究認(rèn)為，其效果之所以如此顯著是因為網(wǎng)絡(luò)釣魚利用了人類的思維模式，最重要的是，利用了影響人們識別詐騙的各種因素，比如情商、認(rèn)知動機、情緒、激素，甚至受害者的人格。

“我們都容易被釣魚，因為網(wǎng)絡(luò)釣魚會欺騙我們大腦的決策機制。”佛羅里達(dá)大學(xué)副教授丹妮拉·奧利韋拉在拉斯維加斯黑帽安全技術(shù)大會上說。

首先是意識問題。奧利韋拉和谷歌研究員埃利·比爾斯坦的研究顯示，45%的互聯(lián)網(wǎng)用戶甚至不知網(wǎng)絡(luò)釣魚為何物。

情緒也有關(guān)系。心情暢快、無憂無慮時，人們識別眼前騙局的可能性更小。腎上腺皮質(zhì)素這種壓力激素能讓人提高警惕，有益于識別詐騙;而使人樂觀開心的血清素和多巴胺則可能導(dǎo)致魯莽冒失行為，讓人更容易上當(dāng)受騙。

網(wǎng)絡(luò)釣魚黑客還特別善于編造虛假信息來說服人點擊鏈接。權(quán)威性是最常用、最有效的武器之一，比如一封聲稱來自公司CEO的郵件，要求員工通過點擊鏈接提供某些信息。其他手段包括獲利或損失騙局設(shè)計，比如亞馬遜的退款機會。

有些針對性很強的釣魚郵件欺騙人們的感情。2018年爆發(fā)加利福尼亞史上破壞性最強的野火之后，谷歌注意到短時間內(nèi)出現(xiàn)了一大波為受害者募捐的郵件。情感的暗示——比如承諾將捐款撥發(fā)給無家可歸的人——削弱了收件人的注意力，使其未能關(guān)注郵件內(nèi)容和表明郵件是騙局的各種線索。通過激發(fā)這種情感反應(yīng)，黑客讓人忘卻了疑慮。

但這并不意味著防范網(wǎng)絡(luò)釣魚的唯一方法是永遠(yuǎn)憂心忡忡、滿腔怒火。把每一個重要登錄（郵箱、網(wǎng)上銀行、社交媒體、購物網(wǎng)站等）設(shè)置成雙重驗證才是更為明智有效的方法。設(shè)置后，登錄時系統(tǒng)會要求輸入除密碼外的其他信息，比如通過短信發(fā)送到手機的驗證碼、來自身份驗證應(yīng)用程序的驗證碼或U盾物理安全密鑰（新近研究認(rèn)為最為安全的方式）。這樣，即使你疏忽大意未識破釣魚騙局把密碼給了黑客，他們也無法登錄你的賬戶。去年，谷歌說，只有不到10%的用戶把自己的賬戶設(shè)置成雙重驗證。

（譯者為“《英語世界》杯”翻譯大賽獲獎?wù)撸?/p>