Phishing Attacks Work Because… Humans

If the definition of insanity is repeating the same mistakes and expecting different results, then the definition of phishing is preying on human behavior.

Despite its well-documented history and maturity as a cyber-attack, phishing remains one of the leading methods that attackers use to target enterprise users and infiltrate the workplace. Phishing exploits still work because hackers require only a small percentage of conversions to achieve the goal of acquiring user credentials. They are studying their targets and employing new techniques to get past email content security filters. Why does phishing continue to haunt security professionals, and what can be done to reduce or mitigate the loss of sensitive data?

See Related: Email Phishing Overshadows Risk Of Mobile Malware

Phishing’s Impact On Human Behavior

In the early days of phishing, the patterns used to simulate a real business request were not understood. In fact, the workforce used to be the first line of defense for escalating potential phishing campaigns to IT.

As phishing attacks became harder to distinguish and cyber awareness training increased, the pressure on the workforce shifted. The shift is significant enough to see the ripple effect that phishing has on workforce productivity.

Simply put, people want to do their job. And in many jobs, there is a need to click on links and open attachments. Phishing preys on human behavior by disrupting employee workflow. The authenticity of the sender, the contents of an email message, and the requested action all come into question.

Compounding this challenge is the employee belief that the workplace offers a more secure experience than at home because there is a security team present and actively taking steps to protect them.

Some observe that the impact of phishing has removed part of the trust in the employer. Awareness training to overcome human behavior could be nearly impossible to achieve for every organization. A new approach is needed to align the organization’s security posture with the productivity expectations of the workforce.

See Related: The Role Of Human Factors In Enterprise Cyber Security

The Psychology Behind Phishing Requires A Layered Response

“Phishers often use psychological tricks to get users to take actions that they might not usually take, preying on an employee’s desire to be helpful or their instinct to do what an authority figure tells them to do,” said Forrester VP and Research Director Joseph Blankenship.

Training alone cannot protect you from phishing. Phishing prevention requires a layered approach that combines technical controls and user education. Each layer in this strategy acts as a safety net in case the layer on top of it fails. The Forrester cyber security analysts define these layers as:

• Implementing technical controls to protect end users. Shift the first line of defense you are your workforce with email security solutions, including email content filtering, email authentication, and threat intelligence.
• Educating your workforce to recognize phishing attempts. Ensure that you implement ongoing training, have mechanisms for reporting phishing, and test and measure performance. Just like InfoSec professionals avoid being the security police, be careful not to shame users who fall victim to these attacks. Shaming makes users less likely to report phishing attempts and less likely to complete their training.
• Planning for technical and human failure. Despite your best technical and educational efforts, your users will be successfully phished. If all else fails, you need to be ready to respond to incidents to limit the impact of a successful phishing attack. Technologies such as browser isolation and MFA can help limit the impact. Having an incident response plan ready ahead of time helps the quality and speed of your recovery.

See Related: Enabling Cyber Security Defenders To Design Effective Solution Strategies