Phishing has reached epidemic proportions, and it shows no signs of slowing down. According to a 2018 Data Breach Investigations Report, “Phishing and pretexting represent 98% of social incidents and 93% of breaches. Email continues to be the most common vector (96%).” Why are phishing scams such a popular tactic of hackers?
Because of the ease at which attacks can be carried out. There’s no need to try to infiltrate a system or find infrastructure vulnerabilities; instead, the hacker simply targets an organization’s weakest link—its employees. To successfully phish, all they need to do is dupe just one person—sometimes out of hundreds or even thousands of employees—into opening an email or clicking a link or attachment. As you can see, the odds favor the hacker.
That’s why good phishing protection habits are critical for the protection of data. While many may think that this means more employee training (that can be a start), it is not the answer.
Why Phishing Prevention Training May Not Be Effective
Phishing prevention training means different things to different companies. For some, it’s a one-off “lunch-and-learn” session in which the information probably goes in one ear and out the other for most employees. Companies taking the threat a bit more seriously may hold ongoing user awareness training sessions to reinforce previous teachings and highlight new threats. And then there are companies that have adopted more sophisticated training known as phishing simulations.
Also known as “phishing your own employees,” phishing simulations involve the internal IT team or an external third-party sending phony emails that include links, attachments, or requests for personal information to employees. It’s all designed to see if any employee takes the bait. If they do bite, they’ll be notified immediately with a screen explaining what just happened, or they’ll be summoned to a superior to learn more. Employees repeatedly falling for phishing simulations may be penalized or eventually terminated.
But that’s the problem with phishing simulations; employees begin to resent the company, feeling they’re being unfairly targeted. Here they are, simply trying to do their job, and someone who is supposed to be on their side is getting in the way of that, tricking them into getting into trouble. “We can't expect users to remain vigilant all the time…” Kate R of the National Cyber Security Center points out. “Being aware of the threat from phishes whilst at your desk is hard enough. But phishing can happen anywhere and anytime, and people respond to emails on their phones and tablets, and outside core hours. Clicks happen.”
One final factor that training cannot always account for is social engineering. While people may be able to be trained to avoid clicking suspicious links or attachments, it’s harder to break hard-wired behavior, such as obeying the orders of a superior—especially the CEO. A phishing scam tactic not involving links or attachments, called business email compromise (BEC) phishing, involves a hacker posing as a member of the C-Suite and requesting information such as W-2 forms or social security numbers from a lower level employee. Not wanting to question the boss, the employee does as they’re told, exposing sensitive company or employee information.
Putting the Focus on Phishing Protection Habits
Rather than relying on a human firewall, which is what phishing prevention training essentially boils down to, organizations may want to consider a different approach, one that truly enforces phishing protection habits. These are “teachable moments,” and something that a strong anti-phishing platform can provide. The benefit of this approach is that it’s a steady and ongoing, “in the moment” way of incrementally building good security hygiene until it becomes second nature to the end-user.
Any good anti-phishing solution will red-flag suspicious emails with a phishing alert, disarming and locking the email so it cannot be replied to or forwarded. However, employees can open it to learn why the email was flagged. There are a number of reasons why it may be flagged, such as:
- Displayed text is different from real URL
- It contains words that are frequently used in email phishing (e.g., password)
- Sender belongs to an unsecure domain
- Sender’s address is unusual or questionable
Rather than give employees an information dump at a lunch-and-learn, or tricking them with simulations, this method of phishing defense develops good phishing protection habits over time through teachable moments. It provides employees visual cues at the moment of attack so that in time, recognizing the signs of email phishing will become second nature.
Quit spending time and money on training tactics that don’t work, erode over time, or alienate your employees. With an anti-phishing solution, you can engage employees and make them an active participant in the war on phishing. Get your employees ready for combat with Clearedin anti-phishing solutions. Contact the experts at Clearedin today to learn more about our phishing protection software and how it helps develop better phishing protection habits.