Why You Should Stop Using A Rule-Based Approach For Phishing

If rules were meant to be broken, how come so many anti-phishing approaches continue to follow them?

Rule-based approaches to phishing attacks are designed to make the attack-detection process simple and intuitive. These rules are set based on a variety of factors, and as new threats come in, more rules are created. Sounds like a great solution, right? While it may appear that way, in reality, the rule-based anti-phishing approach can become quite complex and the rules can become ineffective over time.

Six Common Techniques in Rule-Based Anti-Phishing

Here is a look at the six most common techniques employed by a rule-based anti-phishing approach.

1. Blacklist-based. 

This rule checks URLs against the blacklisted phishing scams and malware pages of top search engines.

2. Reputation-based.

As the name implies, this rule is based upon historical statistics on domains that have a reputation for, sometimes unintentionally, hosting phishing webpages.

3. Content-based.

A good phony phishing webpage is designed to look just like the real deal. This technique explores the HTML structure of hundreds of phishing examples and then creates rules designed to help determine the legitimacy of other sites.

4. Obfuscation-based.

Phishers often trick users into believing a URL belongs to a legitimate website by obfuscating them (making slight tweaks that are likely to go unnoticed, such as adding a hyphen, using an n-dash instead of an m-dash, inserting unicode, etc). Rule-based anti-phishing attempts to identify these tactics and block URLs employing them in the future.

5. Red Flagged Keyword-based.

Phishing emails and websites often have specific words in common. These rules are created by examining previous phishing examples and looking for keyword similarities. These keywords are indexed and if future emails or URLs contain these keywords they will be marked as phish.

6. Search Engine-based.

These rules are created by crawling and indexing webpages that turn up on top search engines. URLs that appear in search engines are whitelisted while those that do not are blacklisted as phish.

Problems with the Rule-Based Anti-Phishing Approach

Rule-based approaches for anti-phishing follow a standard “IF/THEN” format, also known as a pattern. So if condition A exists, action B is taken. Of course, this would be the most simplistic of rules. As more rules are created, they wind up affecting other rules, resulting in formulas that can be very unwieldy. Eventually, you may wind up with a rule formula that looks something like this:

IF (Rule_1 <= 0) AND (Rule_7 <= 2) AND (Rule_14 <= 0) THEN phishing = No, BUT IF (Rule_1 >= 1) AND (Rule 16 >= 7) THEN phishing = Yes

Not sure about you, but frankly, that just makes our heads hurt! Plus, as these rules become longer and longer, it becomes easier and easier for mistakes to be made and phish to slip through.

That’s not the only issue with an anti-phishing rule-based approach. Phishing methods are constantly evolving, and new malicious emails are sent every day. But creating a new rule doesn’t happen automatically, so until one is created, these new phish will get through and into unsuspecting victims’ inboxes.

Artificial Intelligence Anti-Phishing: A Better Solution

To actively protect your company’s email accounts, technology, and data, anti-phishing software from a service provider such as Clearedin is a better solution. Rather than coming up with an eternally-compounding, complicated rule system, our anti-phishing service uses comprehensive and effective phishing prevention technology to protect, engage, and educate employees—just from analyzing email metadata (without reading message content or attachments).

Using artificial intelligence (AI) and machine learning technology, our phishing prevention software creates a business trust graph to work as an organizational communications model. The trust graph is used to validate any incoming and outgoing email and messenger communications (such as Slack) to assess their risk. The trust graph looks at:

  • Frequencies and behaviors of sender and recipient communications
  • Changes to email addresses and hyperlinks
  • Coding changes that are hidden within each email’s metadata.

As the platform learns and becomes more familiar with the patterns of communications, it becomes an even more secure defense over time. To learn more about Clearedin and our phishing software, contact our team of cybersecurity experts today!

New call-to-action

8 Steps for Recovering from a ...

Subscribe for updates

Get weekly updates on phishing and other web attacks