Changing User Behavior Core to Averting Phishing Disaster

The neuroscience is difficult to deny: Humans are built to trust one another. People also have an innate propensity for curiosity. Overcoming those instincts in the era of social engineering is no easy feat – we want to open emails and links that purport to come from people and brands we know.

And that’s where trouble lies.

One in seven emails sent to professionals contains a phishing message, according to Cofense, which specializes in phishing defense. Phishing emails steal data by tricking users into believing they are interacting with someone or a company they trust. Take these high-profile examples:

• In 2016, Walter Stephan, the CEO of Austrian aerospace parts maker FACC, lost his job after hackers stole $47 million from the company by posing as Stephan in emails to employees;
• That same year, University of Kansas employees lost pay because they responded to a phishing email with their direct deposit numbers;
• And who could forget Google and Facebook being taken for a combined $100 million over two years through an elaborate fake invoice scheme?

Phishing preys on our most basic instincts for community and belonging. Unfortunately, that is why organizations must take it upon themselves to teach employees to act against those impulses in the interest of self-protection. Such education and empowerment will fortify a technology-only approach to combating hackers.

Anti-Phishing Success – Endusers Are Your Strongest Defense

Email users are the weakest link – until they’re not. When taught and tested on the red flags to look for, on a regular basis, employees become the organization’s strongest line of phishing defense.

The old ways of doing this are just that – outdated. It’s no longer sufficient to try to trap employees into clicking on a suspicious link. Not only does this tend to result in a punitive message to the people who click, it also tends to encourage them to stop reporting altogether.

These days, the most forward-thinking IT teams are achieving higher awareness and changing user behavior by following these modern best practices:

Sending simulated phishing messages on a frequent basis. One area where many organizations fall short with cybersecurity defense is in the timing. IT experts need to expose employees to regular phishing attempts that seem real. This reinforces what comprises phishing and modifies reactions to the messages – for example, hitting the “report” button rather than opening the email. Simulated phishing messages, which can be obtained through templates, need to send at least once per month and feature follow-up attempts targeting staff who clicked.

Mimicking current phishing efforts. The top three most successful phishing topics from June 2018-July 2019 that fooled employees were “Account Security Alert,” “Package Delivery” and “File From Scanner,” according to Cofense. In addition, Cofense has found that 74 percent of true phishing messages seek users’ credentials. At the same time, less than 20 percent of organizations send these kinds of simulations.

Relying on reporting to predict user reactions in real attacks. Again, moving away from employee click rates as a metric is key to fighting back against hackers. Combine reported data to forecast how staff are likely to respond when a phishing message slips past secure email gateways. Some anti-phishing platforms make this capability and analysis easier than others.

Technology + People = A Tougher Time for Hackers

The number of phishing attempts grows each day, and hackers transform the messages constantly in hopes of duping users. Organizations must do more than install the latest technology. They must also focus cybersecurity efforts on employee education and behavior modification. Humans have sensors and sensibilities that machines do not. Using those instincts to the advantage of the business overall will help avert disaster, saving money, reputation and time.