Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/9/2017
11:00 AM
Eyal Benishti
Eyal Benishti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Limitations Of Phishing Education

Human nature means that education will only go so far. Technology needs to take up the slack.

In the past 12 months, millions of organizations, spanning all industries and sizes, became targets of cyberattacks. According to a recent report, 400,000 phishing sites were detected per month in 2016, and the Anti-Phishing Working Group concluded that phishing attacks reached an "all-time high" in the second quarter. Not only are attacks proliferating, but the perpetrators have evolved into professional cybercriminals with plenty of time and resources. For these reasons, it's unrealistic to entrust the workforce with the massive responsibility of stopping phishing.

While this many sound ironic coming from someone involved in phishing mitigation, I recognize that phishing education has proved beneficial only to a certain extent. The reality is that the imperfection of humans makes it all but impossible for us to teach everyone how to spot and avoid phishing — and if phishing efforts aren't detected and eliminated fast enough, someone eventually will click, and then it's game over.

When it comes to employee expectations, the digital-native millennial generation, now the largest workforce demographic, is perhaps the most careless when it comes to cybersecurity, opting for expedience over security. Other workforce demographics, such as Generation X and baby boomers, are forced to learn new "detective" skills for identifying and reporting suspicious emails, despite being unfamiliar with technically advanced processes.

Frankly, it's very hard to change behavior. In fact, it's proven that users, regardless of training and awareness, will still click on phishing links or download attachments because of a variety of factors, including curiosity, greediness, distraction, well-crafted impersonations, and/or simply failing to learn from past mistakes. For example:

  • A culture of distraction: People are easily distracted by their daily tasks, especially under stressful environments, making them likely to click on a malicious link or download a suspicious file. According to a study from Microsoft, people generally lose concentration after eight seconds, a shorter attention span than a goldfish. With an abundance of smart devices available, and an increasingly digital lifestyle, it's easy to see how so many stimuli could make it difficult to identify a suspicious email, particularly if the email intentionally includes multiple streams of media for the purpose of distracting the receiver.
  • Spearphishing can be almost undetectable: Some attacks are just so good that it's impossible to spot them by the naked eye. What happened to Snapchat and the Clinton campaign are two examples of how sophisticated phishing attacks can trick employees through highly targeted campaigns that impersonate internal executives or well-recognized vendors. Seagate also fell victim to a similar phishing scam, and its staff has since filed a lawsuit against the company after personal information was exposed. Phishing attacks have become so realistic that even the most cyber-aware recipient can be fooled into providing sensitive information. 
  • Curiosity is king:  Sometimes, curiosity is stronger than the sense of security, especially when it comes to an employer's computer. According to a recent study by FAU researchers in Germany, 56% of email recipients clicked on a link from an unknown sender despite knowing the risks. Why? Most reasoned that they were curious about the content of the photos or the identity of the sender. According FAU, curiosity and interest are natural human traits and, with the right timing and context, people will click on a link despite their security awareness.

Though employee training will always play a role in phishing mitigation, and it should, recent events prove it's not effective on its own. With increasingly clever and deceptive scams, matched with the massive amount of phishing emails sent daily, employees don't stand a chance in successfully defeating the phishing epidemic on their own.

Instead, organizations should turn to next-generation technologies to fill the gap and empower employees. While some argue encryption, multifactor authentication, and database security can be effective in deterring phishers, they're outdated techniques with risks and shortcomings. Today, forward-thinking organizations are implementing newer strategies to aid in phishing support such as sender reputation and email verification programs, including DomainKeys Identified Mail, Sender Policy Framework, and Domain Message Authentication & Reporting Conformance. They're not perfect, however. they won't identify suspicious links and attachments or stop a determined attacker who buys a domain and installs Domain Name System records to tell servers which IP address each domain is associated with.

In the future, the use of artificial intelligence and machine learning to identify phishing emails, learn from reported attacks, and create real-time signatures will help companies prepare for and prevent attacks that have been attempted around the world, without the need for human interaction.  

Related Content:

Eyal Benishti has spent more than a decade in the information security industry, with a focus on software R&D for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PhishProtection
50%
50%
PhishProtection,
User Rank: Apprentice
6/3/2019 | 1:26:22 AM
educating users (primary importance)
this is why educating users (who have little knowledge or concern) about phishing and how it can be dangerous not only to their work place but even personal life. We put out an awareness ebook for just this, and you can download it free from here - https://www.phishprotection.com/phishing-protection-best-practices-guide/
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:36:35 AM
office
Thanks for sharing the limitations of phishing education.it is very helpful to me.once again thanks
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.