Resilience to phishing attacks is failing to improve

The bad guys use phishing because it works, and it works because it exploits weaknesses in human psychology and organisational culture. We won't fix cybersecurity until we fix those things.
Written by Stilgherrian , Contributor
(Image: iStock)

Ninety percent of cyber attacks start by someone clicking on an email, said Royce Curtin, head of intelligence at Barclays Bank, at the company's New Frontiers conference earlier this month.

"People are the weak link," the company tweeted as he spoke.

Curtin didn't need to pick that number purely for rhetorical effect. There's research to back it up.

We know, for instance, that spearphishing is a favoured technique of advanced persistent threat (APT) groups. We know that email is how the Bad Things get to us. And we know that imperfect, distracted, fallible humans don't always notice when an email is really a container for Bad Things in camouflage.

Trend Micro made the point in the title of their 2012 white paper Spear-Phishing Email: Most Favored APT Attack Bait. They found that "91 percent of targeted attacks involve spearphishing emails".

"APT campaigns frequently make use of spearphishing tactics because these are essential to get high-ranking targets to open phishing emails. These targets may either be sufficiently aware of security best practices to avoid ordinary phishing emails or may not have the time to read generic-sounding messages. Spearphishing significantly raises the chances that targets will read a message that will allow attackers to compromise their networks," Trend Micro wrote.

PhishMe, a company that provides phishing threat management with a human focus, reported the same 91 percent figure in their 2017 Phishing Defense Guide [PDF].

"Phishing remains the No. 1 attack vector today because it works ... Employees are easier targets due to their susceptibility to various emotional and contextual triggers," the company wrote. Their analysis showed that two of the three most successful emotional triggers were fear and urgency.

"Fear and urgency are a normal part of everyday work for many users. Consider that most employees are conscientious about losing their jobs due to poor performance (fear) and are often driven by deadlines (urgency), leading them to be more susceptible to phish with these emotional components."

Meanwhile in New Zealand, the University of Otago analysed the impact of spearphishing attacks starting in June 2013.

They found that when employees fell for a phish, they were usually away from their desk, using mobile devices which didn't necessarily display the email in full. It usually happened outside business hours, too, either late at night when they were tired or first thing in the morning when they were busy starting their household's daily routine.

"This expectation that we're going to ask people to work long hours, be on call to answer emails and queries at any time, has a huge downside, and that's about managing expectations," said Mark Borrie, the university's information security manager, at the AusCERT Information Security Conference in 2015.

Organisations implicitly train users to respond to bad emails, said Borrie, by allowing inconsistent-looking email systems to be used. He cited a student timetable system that sent emails not from the university's otago.ac.nz domain, but the username otago-m at an external .com domain, and those emails contained a clickable link to a second, different external .com domain.

In a nutshell, then, organisations create the very conditions that will increase their employees' vulnerability to phishing attacks.

Phishing awareness training exists, of course, but it has limited effectiveness.

In 2016, researchers at Germany's Friedrich-Alexander-Universität (FAU) found that even when users knew that clicking on a link coud be risky, they still clicked on it. In their research, 56 percent of email recipients, and around 40 percent of Facebook users, clicked on a link from an unknown sender.

While 78 percent of participants said they were aware of the risks, the most common reason given for clicking was curiosity.

Curiosity was the other top three emotional trigger identified in PhishMe's research, along with fear and urgency.

"You don't stop phishing attacks by raising user awareness," PhishMe wrote, but that isn't an argument against anti-phishing training. "Focusing on awareness isn't the point. The real solution is behavioral conditioning," the company wrote.

"With this level of understanding, we can condition our employees to be on the lookout for their natural reactions to malicious emails, and to use those reactions as a trigger to look more closely for technical and process errors in what they are seeing."

The organisations that will succeed in this strategy will have developed a workplace culture where fear and urgency are not business as usual, but are red flag indicators that something is going wrong.

They will also have a culture where questioning the instructions in a message, or pointing out that things are going wrong, are seen as being smart and being resilient, not as a sign of incompetence, not being a "team player".

But of course every organisation already has that culture, right? If not, Royce Curtin will be citing that 90 percent figure for years to come.

Related Coverage

Google: Our hunt for hackers reveals phishing is far deadlier than data breaches

Phishing attackers love using Gmail.

Equifax spends $87.5 million on data breach, more expenses on deck

Equifax's third quarter earnings and revenue weren't all that bad considering its data breach debacle.

Don't click that! How to spot an invoice impersonation attack that pretends to be from a coworker (TechRepublic)

Invoice impersonation attacks are on the rise, attempting to download malware that steals victims' credentials.

This phishing attack pretends to come from someone you trust

A new phishing campaign uses invoices and other lures in order to trick victims into downloading malicious software.

Cybersecurity predictions for 2018: it's going to be "a lot more of the same" (TechRepublic)

Forcepoint's Richard Ford predicts the types of cyberattacks that might plague businesses in the upcoming year.

Editorial standards