How Phishing Attacks Trick Our Brains网络钓鱼如何欺骗大脑

帕特里克·豪厄尔·奥尼尔　陈伟济

Why youre more of a sucker than you think. 为何你比自己想象的还容易受骗。

Its simple and effective： getting someone to click a malicious link in an email and enter private information such as a password is the most important skill in many hackers toolkits. Phishing1 is the most common form of cyberattack and still growing.

And the reason its so effective， according to research being done at Google and the University of Florida， is that it takes advantage of how the human brain works—and， crucially， how people fail to detect deception， depending on factors like emotional intelligence， cognitive motivation， mood， hormones， and even the victims personality.

“We are all susceptible to phishing because phishing tricks the way our brain makes decisions，” Daniela Oliveira， an associate professor at the University of Florida， said at the Black Hat cybersecurity conference in Las Vegas.

The problems begin with awareness： 45% of internet users dont even know what phishing is， according to Oliveira and Google researcher Elie Bursztein.

Mood plays a role： people who are feeling happy and not stressed are less likely to detect deception in front of them. Cortisol2， a stress hormone， increases vigilance and makes detecting a deception more likely. Serotonin3 and dopamine4， hormones associated with positive feelings， can lead to risky and unpredictable behavior that make people more vulnerable.

Phishers can also be exceptionally good at crafting messages meant to persuade a person to click. Authority is among the most common and effective weapons—for instance， an email that claims to be from the company CEO， asking an employee to provide some information by clicking a link. Other tools include a gain/loss framing—for instance， a refund opportunity from Amazon.

Some of the most pointed phishing emails play on emotion. After the devastating and record-breaking California wildfires in 2018， Google saw an instant wave of emails asking for money to help victims. Emotional cues—for instance， promises to match donations for people left homeless—impaired the recipients ability to focus on the content and the clues that the email was a deception. By triggering this emotional response， the hackers got people to suspend their skepticism.

That doesnt mean the only defense against phishing is to be a permanently stressed-out and cynical ball of anger. Healthier and more effective is to enable two-factor authentication for each of your important logins （email， online banking， social media， shopping sites， etc.）. When its enabled， the system asks you for something in addition to a password when you log in， such as a code sent to your phone via text message， a code from an authenticator app， or a physical security key on a USB stick （the most secure method of all， according to recent research）. That way， if youve inadvertently given your password to a hacker in a phishing scam， they still wont be able to log in to your account. Last year， Google said that fewer than 10% of its users had two-factor authentication enabled on their accounts.

騙人点击邮件中的恶意链接并输入密码等个人信息是很多黑客最拿手的伎俩，这既简单又有效。网络钓鱼是最为常见的网络攻击，而且日益严重。

谷歌和佛罗里达大学的研究认为，其效果之所以如此显著是因为网络钓鱼利用了人类的思维模式，最重要的是，利用了影响人们识别诈骗的各种因素，比如情商、认知动机、情绪、激素，甚至受害者的人格。

“我们都容易被钓鱼，因为网络钓鱼会欺骗我们大脑的决策机制。”佛罗里达大学副教授丹妮拉·奥利韦拉在拉斯维加斯黑帽安全技术大会上说。

首先是意识问题。奥利韦拉和谷歌研究员埃利·比尔斯坦的研究显示，45%的互联网用户甚至不知网络钓鱼为何物。

情绪也有关系。心情畅快、无忧无虑时，人们识别眼前骗局的可能性更小。肾上腺皮质素这种压力激素能让人提高警惕，有益于识别诈骗;而使人乐观开心的血清素和多巴胺则可能导致鲁莽冒失行为，让人更容易上当受骗。

网络钓鱼黑客还特别善于编造虚假信息来说服人点击链接。权威性是最常用、最有效的武器之一，比如一封声称来自公司CEO的邮件，要求员工通过点击链接提供某些信息。其他手段包括获利或损失骗局设计，比如亚马逊的退款机会。

有些针对性很强的钓鱼邮件欺骗人们的感情。2018年爆发加利福尼亚史上破坏性最强的野火之后，谷歌注意到短时间内出现了一大波为受害者募捐的邮件。情感的暗示——比如承诺将捐款拨发给无家可归的人——削弱了收件人的注意力，使其未能关注邮件内容和表明邮件是骗局的各种线索。通过激发这种情感反应，黑客让人忘却了疑虑。

但这并不意味着防范网络钓鱼的唯一方法是永远忧心忡忡、满腔怒火。把每一个重要登录（邮箱、网上银行、社交媒体、购物网站等）设置成双重验证才是更为明智有效的方法。设置后，登录时系统会要求输入除密码外的其他信息，比如通过短信发送到手机的验证码、来自身份验证应用程序的验证码或U盾物理安全密钥（新近研究认为最为安全的方式）。这样，即使你疏忽大意未识破钓鱼骗局把密码给了黑客，他们也无法登录你的账户。去年，谷歌说，只有不到10%的用户把自己的账户设置成双重验证。

（译者为“《英语世界》杯”翻译大赛获奖者）