A large scale phishing attack using a google docs exploit rapidly spread across the internet today.

Google Docs Phishing Email

You can learn about the data processing aspects of this attack. It has been reported in the The Wall Street Journal, The Verge, The New York Times, and many other sources. What about the human aspects of this problem?  Why did people open these emails?  Why do people open any emails?

Prof. Arun Vishwanath, in Why Do People Get Phished,  established that people open emails as a matter of habit which is invoked in response to perceived relevance and urgency clues. Understanding the context of this email explains why people would open it.

  1. An email that appears to be from a trusted contact is seen in the inbox.
  2. The email is opened in response to the perceived relevance and urgency clues displayed in the inbox.
  3. The email, when opened, reinforces the perceived relevance and urgency clues with the trusted name in the title and the expected email address in the email sender field.
  4. The call to action (in this case, “Open in Docs”) invokes the habit of responding to a routine call to action from a trusted contact.
  5. The user takes the call to action and completes what appears to be a routine google docs activity.

By the time the user decides to click the blue box, the urgency clues and perceived relevance have been reinforced, leading to completion of the habitual behavior.  As a matter of habitual behavior, the user completely overlooks the odd string of the letter “h” under the trusted email address.  SP Guard disrupts this deception process by giving users trust indicators in the email interface.