The magic of phishing

Maybe surprising at first, yet there is a clear link between magicians and phishers. Just think about it: a phisher tries to deceive you and making you take a risk, a magician deceives you by making you believe something impossible happened. Both of these professions use a combination of technical tricks combined with psychological understanding of humans to achieve their goals. The goal of magicians is to entertain people and get rewarded for it, phishers mostly try to reward themselves at your expense.

Similar basis for their tricks

Examples of techniques used by both:

Deception:

Magicians skillfully use crafted objects to create illusions.
Phishers use deceptive emails or websites, or use AI to create fake images or voices, to deceive people.

Misdirection:

Magicians often distract their audience to perform their tricks unnoticed. They understand how to capture the attention and lead it away from key actions.
Similarly, phishers use tactics like urgent messages or fake alerts or friends in distress to divert attention to the perceived issue, away from the possibility of fraud.

Psychological Manipulation:

Magicians play on expectations, normal behavior of objects, and visual effects.
Phishers most commonly exploit fear, greed, or urgency to manipulate their targets.

Creating a Sense of Trust:

Magicians focus on showing they are trustworthy (nothing in my pockets, nothing up my sleeve, look!).
Phishers try to create a sense of trust by impersonating legitimate entities like banks or well-known companies or public figures.

Similar investment in the basics

Two other aspects that are relevant for both skills are audience targeting and investing in skills and preparation.

Audience Targeting:

Magicians tailor their performances to their audience to maximize impact.
Phishers similarly target specific groups to increase the likelihood of a successful attack. Emails with spelling mistakes filters out security conscious people. Targeting employees of a particular company with relevant topics increases the likelihood of success. Typical seasonal messages makes similar fraudulent messages stand out less.

Skill and Preparation:

Successful magicians spend years honing their craft and perfecting their tricks.
Phishers also invest time in crafting convincing attacks to increase their chances of success. 

Lessons to be learned

What lessons might we extract from this similarity?

First, when we go to a magician's show, we know we will be surprised. Despite the fact that we know they will play a trick on us, while we exert special attention to catch the magician in the act, we fail. Phishers have the same psychological tricks at their disposition and increasingly sophisticated tools. It is therefore normal and expected that phishing attacks will keep being successful. "it will not happen to me" is an attitude that you do not want to encourage.

Second, we should not fall for the trap that we think we have seen it all and we know the tricks. The phishers will use the simplest method as long as the click-rate is high enough. If it actually drops, they have plenty of improvements that could be made. AI is unfortunately a big tool improvement facilitating new tricks.

Third, phishing attacks are abusing fundamental characteristics of humans. We are susceptible to greed, fear, stress, pity, etc. Human nature cannot be patched just like that. We can reduce the effects in phishing -sensitive contexts through repeated training and awareness, yet, we have to understand sometimes people will be trapped. Don't blame them, after all, they are only human.