How Phishing Defense Is Like Herd Immunity

You know the signs: Fever, chills, aches, a cough, maybe a sore throat. Yep, you’ve caught a virus. Similarly, your computer has some telltale warning signs designed to let you know when it has caught a virus too—slow performance, unexpected pop-ups, missing files, crashes, and error messages. Of course, most malware delivered through email phishing scams doesn’t want to be detected; it wants to continue to work in the background, stealthily stealing information and credentials unbeknownst to users. While most organizations know they can’t simply rely on a human firewall—ultimately, we all make mistakes—they are still looking for effective solutions to tackle this rising problem.

Just as with viruses, there’s an opportunity to take another medical / epidemiological term and see what we may learn by applying it to cybersecurity in general and phishing in particular: herd immunity.

How the Concept of Herd Immunity Applies to Email Phishing

In the medical community, herd immunity refers to the notion that if the majority of the population, or herd, is vaccinated against a disease, the disease won’t be able to successfully spread (most experts say 80-95% is the magic number in which herd immunity will take hold depending on how contagious the disease is). What’s attractive about herd immunity is that it protects those who cannot be vaccinated, such as the very young, the very old, pregnant women, and those who are too weak from other illnesses (the concept has also been used by people who have adopted an anti-vaccination stance for their children; they argue that if most children are vaccinated, their unvaccinated children should be protected due to herd immunity).

Now that you know what herd immunity is, how does the concept apply to the computer world—and email phishing prevention in particular?

Let’s say that the Acme Corporation has deployed anti-phishing software for its users, but only a subset of those users are actively marking safe and suspicious emails. If Acme is able to get a sufficient number of employees to help flag phishing email scams, it protects the organization as a whole by also preventing those phishing attempts from getting through to employees who are less skilled in email phishing prevention. Now, even if an attack comes through, it is far more likely to get caught, and the spread will be greatly limited.

There’s another benefit to herd immunity: the reduction of “false positives,” in which a legitimate business mail is flagged as phish and placed into quarantine. These false-positives can be very frustrating, especially when it’s an important message regarding a bill or critical project details. When even a fraction of an organization’s employees are red-flagging suspicious or malicious emails, the company can reduce the amount of white noise generated by false-positives. This makes red-flagged emails less frequent, which in turn makes employees more aware of the few that do get through.

The Danger of Relying on Herd Immunity for Anti-Phishing

As the Acme Corporation example above highlighted, herd immunity can help reduce the threat of malware—but it can’t stop it completely. Many phishing email scams aren’t random. Instead, scammers target individuals after acquiring information that can be used to their advantage. For example, spear phishing emails are addressed to a specific person and gain the recipients’ trust by impersonating another employee or contractor in order to obtain sensitive data. Whaling scams take the same tactic, but instead go after the big fish in the C-suite. So now back to Acme; if the phishing email is sent to that one person who doesn’t have anti-phishing software installed on their device, the threat can only be contained—not stopped.

Just one infection can have serious consequences. Consider a Business Email Compromise (BEC) phishing scam. This is a method of phishing that doesn’t even involve clicking a suspicious link; instead, a BEC targets lower-level employees who still possess administrative rights by pretending to be a member of the C-suite and requesting sensitive information. This phishing scam works well in large corporations where employees know the name of the executives, but rarely, if ever, interact with them. It relies upon social engineering and organizational etiquette; most employees don’t want to question or say no to an executive. In these cases, one employee can wind up hand-delivering highly sensitive data or banking information right to the scammer.

Ultimately, simply relying on herd immunity is not a complete strategy for long-term success. While it can prevent a complete outbreak, it cannot prevent targeted infections. To protect yourself and your organization from these types of phishing email attacks, suspicious messages need to be red-flagged immediately. This is the approach that Clearedin is taking. We get to know the communication patterns and rhythms that are specific to each organization in order to flag potential phishing emails with amazing accuracy. Want to learn more about anti-phishing?

New call-to-action

WHY PHISHING EMAILS TARGET ...

Subscribe for updates

Get weekly updates on phishing and other web attacks