Cyberattacks cost businesses in the UK over £29 billion each year. In 2019, a third of businesses experienced cybersecurity breaches.

‘Phishing’, the most common type of cyberattack, is when fraudsters trick people into sharing sensitive information. They do this by sending fake emails from seemingly trustworthy accounts.

‘Spear phishing’ is a targeted form of phishing, where scammers research their victims so they can send tailored – and so more persuasive – messages.

Professor Adam Joinson has spent several years working with the Government to help businesses protect themselves from cyberattacks. His research has revealed what makes someone more likely to fall for phishing attacks, and led his team to develop measures to help companies protect themselves.

Adam has worked with various UK Government and Research Organisations which assist in protecting the UK’s essential infrastructure, including the Centre for Research and Evidence on Security Threats (CREST). CREST is a national hub that commissions research to better understand and oppose security threats, for which Adam has served as lead for their ‘Understanding and Countering Online Behaviour’ programme.

Through his work with CREST, Adam’s research into cybersecurity has formed the basis of national guidance, training and campaigns about phishing and spear phishing attacks.

His research informed the CPNI’s ‘Don’t Take the Bait’ campaign, which aims to raise awareness of phishing and reduce the effectiveness of workplace attacks.

The campaign was adopted by several major organisations, like CyberSafe Wales and the UK’s Electoral Commission. It also fed into the National Cyber Security Centre guidance ‘Phishing Attacks: Defending Your Organisation’.

His research also contributed to the development of an anti-phishing tool and training resource, which is being trialled by the Bank of England, Airbus and others.

Adam spent several years analysing the existing research on cybersecurity to develop a new model of susceptibility to online scams.

In partnership with their external collaborators, Adam and colleagues then tested the model. They organised a series of simulated phishing attacks on the staff in these organisations, to understand what factors affect susceptibility.

They then ran focus groups with employees to understand the work-related factors that would make them click a phishing link. They also explored employees' perceptions of what made them vulnerable to attack.

Their findings showed authority and urgency to be the main causes which determine whether a malicious link is clicked.

‘Their emails may use realistic corporate graphics and emotive language like “Reply fast or miss out!” or “If you don’t sign in now, you’ll lose access to your account”, to make you worry that something will go wrong if you don’t take immediate action. Alternatively, they may claim to be from a powerful person you might want to impress,’ says Adam.

Work-based expectations and pressure were also found to contribute to an employee’s susceptibility to attack.

'The sheer quantity and typical working pattern when employees have to open and respond to customers’ emails all day means it’s not realistic to expect them to be vigilant all the time, and differing levels of attention and stress are relevant too.'

These findings allowed Adam and colleagues to identify the vulnerable areas within organisations, and develop training to help defend them.

With attacks like this becoming increasingly more common and sophisticated, CPNI took steps to educate organisations. Their ‘Don’t Take the Bait’ campaign directly incorporated Adam’s insights around human behaviour and the influencing factors, as well as his recommendations for mitigating the risks.

Though now a Professor of Information Systems, Adam has degrees in psychology and social psychology. This understanding of human behaviour is the foundation of his work around cybersecurity.

'My training as a psychologist has helped. The lesson is that we don’t really need to teach people about the technology, but must look at the persuasion techniques used by phishers to con them,' says Adam.

For Adam, the work goes on. He is set to continue his long-term collaborations with CPNI and CREST and has received further funding to develop a new research and training tool called PHISHTRAY. Co-developed with cybersecurity company CybSafe, this new platform is designed to test employees’ susceptibility to phishing emails.