Phishing emails occupy a unique place in our society. Their concept is simple enough for anyone – from layperson to security expert – to understand. However, if you thought this simplicity would translate to easier, more universal phishing protection, nothing could be further from the truth.
Phishing emails still have a worryingly high hit rate. Research from 2020 found that 91% of all cyber attacks begin with a phishing email to an unsuspecting victim. In mid-April of last year, Google’s Threat Analysis Group reported that they detected 18 million COVID-19 themed malware and phishing emails per day. And that’s without including all the business email compromise, invoice fraud, payroll fraud, and other email attack variants that continue to successfully steal money, data, and peace of mind from their victims.
Why are phishing attacks still successful? Haven’t we all watched endless hours of security awareness training videos that instruct us not to click suspicious links? Haven’t email security products been around for ages and already solved this problem? What gives?
In this article, I will highlight why our brains are destined to eventually fall for phishing attacks, how cybercriminals have adapted to modern work practices to make phishing emails more successful, and tips for organizations looking to contain the ever present phishing threat.
Why phishing attacks still work
Our brains are wired to make fast decisions
Daniel Kahneman’s book, Thinking, Fast and Slow, introduces us to two information processing and decision making systems our brains have. System 1 is the automatic, unconscious, and fast mode of thinking, offering little to no rationale behind its actions. System 2 is the slow, methodical, and analytical mode of thinking, skeptical and rational by default.
Security awareness training programs require us to operate in the System 2 mode of thinking, always being circumspect of emails we receive. But with information assailing us throughout our work day, the only way for the brain to survive is to operate in System 1 thinking whenever possible. Putting every email under a microscope is a laudable goal to have, but when our inboxes fill up with hundreds of unreads every day, the microscope rarely gets used in reality.
The truth is that humans fall for phishing emails not because they’re stupid or lazy or don’t apply the training they receive. They fall for phishing attacks because they’re busy juggling scores of pending tasks, and taking quick action on some (or all) of these tasks is the most effective way to get through the day.
Cybercriminals know this, and have adapted their phishing attempts accordingly.
Digital communication and technology are an indelible part of our lives, which has resulted in a large number of workflows that happen over email, often with automated emails that encourage quick human action. Many of today’s email attacks replicate these workflows to trick victims into reverting to muscle memory before the brain catches up to what’s happening.
As security technologies have gotten better at detecting malicious links, many email attacks now avoid links altogether and use social engineering techniques to plant their payload. This could mean preying on our fears and anxieties e.g. COVID-themed emails, emails chiding readers for late/missed payments, or emails from the IRS. It could also mean playing with our hopes, dreams, and goals e.g. emails promising inheritance payments, emails asking for donations to worthy causes, or emails informing victims they’ve been selected for something they always wanted.
When attackers target people with words, even the most technical and security-aware among us aren’t immune from compromise. A recent social engineering scam expressly targeted security researchers under the guise of collaborating on vulnerability research and security awareness. The irony here hits like a hammer.
Tips to contain today’s phishing attacks
While the article so far makes it sound like we’re destined to fall for phishing attacks, there are best practices we can follow and tweaks we can make to existing processes to contain the occurrence and impact of these attacks.
Bring security awareness programs closer to reality
To complement security awareness programs, organizations should consider educating end users when real-life suspicious emails hit their inbox. In-context education like email warning banners can inform users with relevant examples from their inbox without negatively impacting their existing work behaviors. These banners can also include buttons for end users to mark the emails as safe or suspicious, taking some load off the security team.
Use MFA on accounts and workflows
It’s definitely a good idea to enable multi-factor authentication (MFA) on business and personal accounts. Having MFA on just business accounts doesn’t solve the entire problem, because cybercriminals can still compromise employee personal accounts and use those accounts to effect follow-up chaos.
Employees should be encouraged to replicate MFA, in the loosest sense, for any email that makes unusual requests related to money or data. For example, has a vendor emailed the accounts payable team with a sudden change in their bank account details, right when an invoice is due? The team should call or text the vendor and confirm that they sent the email. Even if the vendor is very busy, the caution is certain to be appreciated.
Your organizational data is your friend – use it
Mass phishing emails are largely a thing of the past. Today’s phishing emails are more likely to come from a trusted entity, like managers, vendors, or reliable technology brands. The emails will also include just enough context to make victims feel like it’s legitimate communication. Since scammers are weaponizing organizations’ data in their attacks, it makes sense for organizations to leverage the same data (and more) in their email security stack.
Organizations should ensure their security solutions measure communication baselines to identify what’s normal and what isn’t, enabling them to spot anomalies and catch targeted phishing attacks that would otherwise slip past binary detection techniques. Did an employee just email the payroll team from their personal account, asking to change direct deposit details one day before payday? Is an employee suddenly forwarding tons of emails to their personal account after logging in from an unusual location? When email attacks lack traditional payloads, understanding and learning from organizational context like this is vital.
Eliminating phishing attacks is a pipe dream because our brains are hardwired to think fast, not slow. However, the intent is not to achieve a mythical level of perfect protection. The intent is to raise the bar for cybercriminals, making it as tough as possible for them to achieve their nefarious aims. The tips provided above should hopefully help organizations start asking the right questions and get basic email security hygiene in place.