We’ve all been there. That awful moment, when you realize it’s happened again.
“Why do they never learn?” You ask yourself. “It really isn’t that hard!”
Time and time again, your users click on malicious links and attachments in phishing emails, and it seems like no matter what you do to improve their awareness, it never gets any better.
So why do they keep falling for phishing scams? Is it just complacency? Or something more?
A Very Real Problem
As a member of the security community, it’s sometimes difficult to understand why phishing is such a problem. After all, we think about security all day long, so it’s only natural that when we see a suspect email we immediately assume it’s a phish.
But other people don’t think this way. They assume anything that makes its way into their inbox is a legitimate attempt to contact them.
This leaves us with a problem, clearly, and not a small one. According to Verizon, 10 percent of phishing scams lead to a data breach, which is terrifying when you consider the volume of phishing emails out there.
During the creation of our 2016 Phishing Trends and Intelligence report we analyzed over 1 million confirmed phishing sites, located across more than 130,000 domains, and we think we’ve come up with some answers. For starters, here are a few:
They Aren’t Looking For Them
We’ve touched on this already, but it’s an important point to consider. Just because security professionals see a shady email and think ‘phishing’, doesn’t mean everybody else does too.
In fact, most people are woefully uninformed about all forms of security. Whether it’s using bad passwords, or repeatedly connecting to unsecured public WiFi, they display almost total ignorance of basic security concepts in both their personal and professional lives.
Hardly surprising, then, that they keep falling for phishing scams – They just aren’t expecting anything malicious to turn up in their inbox, so they’re unprepared to cope with it.
And it’s not just that.
Although security professionals commonly think of these people as ‘users’, in reality they’re professional people with jobs to do. They’re busy, in a hurry, and stressed, and none of these things will help them to think rationally about a shady email in their inbox.
They Often Look Legitimate
First off, threat actors all over the world have improved their writing skills immensely.
These days nobody would be fooled (we hope) by the old Nigerian email scams, but things have come a long way since then. Sure, there are still some pretty terrible phishing scams that somehow manage to fool a few people, but for the most part they have improved immeasurably.
For instance, here’s a fairly recent example of what we might call a ‘bad phish,’ received by students and faculty at Lehigh University.
Sure, it might fool the odd person if they’re really in a hurry, but for the most part the terrible spelling, lack of specificity, and unhidden Comcast sender address will give it away.
Compare it, though, to another phishing email, this time sent only to staff in the financial department at Lehigh.
Now this is much more convincing. Sure, if you looked closely you’d catch on, but in the heat of the moment it’s easy to see how people fall for this type of email. Don’t forget, all they have to do is open the attachment, and all that takes is a moment’s inattention.
But now let’s take it up yet another notch. Here’s a spear phishing email crafted by one of our own employee defense training experts, based on real examples we’ve seen in recent months. This time, the email was sent to members of our client’s sales team, and as a result of sophisticated spoofing techniques it appears to be sent by company’s VP of sales.
This email contains several other key convincers as well, including the specific audience targeted, the relative likelihood of their receiving this type of email, and the recipients’ desire to please their boss. The ‘sent from my mobile’ email signature has become a favorite amongst threat actors in recent years, and again seems to make the phish ‘seem’ more legitimate.
And as you can see from the included campaign stats, this email scored well above the average click rate of 20 percent.
When you see phishing emails of this quality, it can hardly be a surprise that some of your users continue to click, especially when you consider that…
Most Security Awareness Training is Terrible
In our experience, the vast majority of security awareness training is hugely ineffective. We explore this in Top Five Phishing Awareness Training Fails.
And the thing is, many organizations use the lack of results they’re seeing to justify cutting back even more, and simply providing the annual policy based training that’s required for compliance. It’s boring, there’s no reinforcement or incentive to change, and (once again) it only comes out once per year.
How is that ever going to change users’ security behaviors?
But we know you’re different.
For a start, you’re here reading an article designed to help you reduce phishing click rates. We as security professionals must up our game if we want to keep our organizations safe, and the first thing we need to do is get people thinking about security as they go about their daily business.
So don’t be discouraged if your current training isn’t working. We’ll be writing more about this topic in the future, but for now here are some of the elements that should be present in your security awareness training:
Interest – Training simply cannot be boring if you want users to benefit from it. People today are more overwhelmed and stressed than they’ve ever been in history, and our brains simply shut off in the face of material that we view as boring or unimportant.
Repetition – Annual training achieves nothing, because people aren’t in the habit of thinking about security. We need to change behaviors, and that requires a lot more than a single 20-minute session once per year.
Reminders – It’s not all about the training. Regular email correspondence, posters on the notice board, even stickers on each monitor can help remind users to think about security while they’re checking email.
Testing – If you want to make sure your users are ready to handle phishing emails, PHISH THEM. Whether you choose to create and manage your own phishing campaigns or pay a security vendor to do it for you, it’s essential that you identify the users most likely to fall for real phishing scams and give them the extra support they need. The same is true for other areas of security, particularly social engineering attacks such as physical infiltration of your buildings or phone scams.
Incentive – Whether you choose the carrot or the stick, incentives are a valuable means of behavioral modification. Research suggests that rewarding the behaviors you’re looking for is the best way to go, but whatever you choose it’s better to do something than nothing.
Stay tuned for a continuation of this topic in our next blog post Hitting Back Against Security Awareness Training Nay Sayers.