We’ve all been trained how to spot phishing emails: check the sender address, hover over links to see where they go, etc. But that’s a lot of work and mental effort. And, given that most emails aren’t phish, almost all wasted. So can we do it better?
A fascinating paper by Rick Wash looked at how experts (in this case, university IT staff) do it. Yes, they use all those techniques, but only after something has flipped them into “look carefully” mode for a particular email. Most messages they classify instinctively, and correctly, as not-phish. So what is that something else: the pre-filter that leaves them relaxed about most emails?
It turns out that one academic definition of an expert is someone who is sensitive to the unusual. If that sensitivity is linked to a willingness to change your view of the world – from “this email is fine” to “this email is suspicious” – then that may be exactly the pre-filter we need. What we more often think of as “expertise” – deep understanding of a knowledge domain – may then be useful to assess which anomalies are probably harmless accidents, versus the ones that are likely to be created by a phisher. But it’s that initial sensitivity and willingness to abandon pre-conceptions that are key to optimising our mental workload.
If we can get better at paying attention when our instinct says “that colleague normally uses Slack, not email”, or “my bank tells me when I have a message, it doesn’t send it to me”, or “why did my friend write so formally?”, or “why didn’t the supplier give the order number”, or “why didn’t I hear about this by another route?” then we may be able to save ourselves a lot of conscious effort, without increasing the number of phish we fall victim to. Subsequent conscious inspection may reveal that the unusual feature in fact had a legitimate explanation: if we don’t get a few “false positive” triggers then we should try to increase our sensitivity. But we’ll still need to get into that mindset less often than every time “you have mail”.
One particularly interesting aspect of this is that it suggests that expert phish detectors don’t need any technical knowledge. If you have that then, of course, it means you can do the stage two conscious inspection yourself. But if you can become an expert in what your own email environment feels like, and develop expert-level sensitivity to when something doesn’t fit (maybe practice reviewing consciously why you felt uneasy about a particular mail), then dealing with your inbox should become a lot less stressful for you and for others. That’s something we should all be able to manage.