The Limitations Of Phishing EducationHuman nature means that education will only go so far. Technology needs to take up the slack.
In the past 12 months, millions of organizations, spanning all industries and sizes, became targets of cyberattacks. According to a recent report, 400,000 phishing sites were detected per month in 2016, and the Anti-Phishing Working Group concluded that phishing attacks reached an "all-time high" in the second quarter. Not only are attacks proliferating, but the perpetrators have evolved into professional cybercriminals with plenty of time and resources. For these reasons, it's unrealistic to entrust the workforce with the massive responsibility of stopping phishing.
While this many sound ironic coming from someone involved in phishing mitigation, I recognize that phishing education has proved beneficial only to a certain extent. The reality is that the imperfection of humans makes it all but impossible for us to teach everyone how to spot and avoid phishing — and if phishing efforts aren't detected and eliminated fast enough, someone eventually will click, and then it's game over.
When it comes to employee expectations, the digital-native millennial generation, now the largest workforce demographic, is perhaps the most careless when it comes to cybersecurity, opting for expedience over security. Other workforce demographics, such as Generation X and baby boomers, are forced to learn new "detective" skills for identifying and reporting suspicious emails, despite being unfamiliar with technically advanced processes.
Frankly, it's very hard to change behavior. In fact, it's proven that users, regardless of training and awareness, will still click on phishing links or download attachments because of a variety of factors, including curiosity, greediness, distraction, well-crafted impersonations, and/or simply failing to learn from past mistakes. For example:
- A culture of distraction: People are easily distracted by their daily tasks, especially under stressful environments, making them likely to click on a malicious link or download a suspicious file. According to a study from Microsoft, people generally lose concentration after eight seconds, a shorter attention span than a goldfish. With an abundance of smart devices available, and an increasingly digital lifestyle, it's easy to see how so many stimuli could make it difficult to identify a suspicious email, particularly if the email intentionally includes multiple streams of media for the purpose of distracting the receiver.
- Spearphishing can be almost undetectable: Some attacks are just so good that it's impossible to spot them by the naked eye. What happened to Snapchat and the Clinton campaign are two examples of how sophisticated phishing attacks can trick employees through highly targeted campaigns that impersonate internal executives or well-recognized vendors. Seagate also fell victim to a similar phishing scam, and its staff has since filed a lawsuit against the company after personal information was exposed. Phishing attacks have become so realistic that even the most cyber-aware recipient can be fooled into providing sensitive information.
- Curiosity is king: Sometimes, curiosity is stronger than the sense of security, especially when it comes to an employer's computer. According to a recent study by FAU researchers in Germany, 56% of email recipients clicked on a link from an unknown sender despite knowing the risks. Why? Most reasoned that they were curious about the content of the photos or the identity of the sender. According FAU, curiosity and interest are natural human traits and, with the right timing and context, people will click on a link despite their security awareness.
Though employee training will always play a role in phishing mitigation, and it should, recent events prove it's not effective on its own. With increasingly clever and deceptive scams, matched with the massive amount of phishing emails sent daily, employees don't stand a chance in successfully defeating the phishing epidemic on their own.
Instead, organizations should turn to next-generation technologies to fill the gap and empower employees. While some argue encryption, multifactor authentication, and database security can be effective in deterring phishers, they're outdated techniques with risks and shortcomings. Today, forward-thinking organizations are implementing newer strategies to aid in phishing support such as sender reputation and email verification programs, including DomainKeys Identified Mail, Sender Policy Framework, and Domain Message Authentication & Reporting Conformance. They're not perfect, however. they won't identify suspicious links and attachments or stop a determined attacker who buys a domain and installs Domain Name System records to tell servers which IP address each domain is associated with.
In the future, the use of artificial intelligence and machine learning to identify phishing emails, learn from reported attacks, and create real-time signatures will help companies prepare for and prevent attacks that have been attempted around the world, without the need for human interaction.
Eyal Benishti has spent more than a decade in the information security industry, with a focus on software R&D for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the ... View Full Bio