You know the feeling. A user has done something incredibly dumb. Like opening a strange attachment despite all the counter-phishing training you did last month. And your brain cells all scream at once, just one single word.
It’s said that common sense isn’t common. When it comes to IT, it’s even more true. A recent study found one in two users would click on links sent to them by strange senders via Facebook or E-mail.
And even worse? The same study found even if the subjects knew the risks involved, they still clicked on them.
Given that phishing—and in particular, spear phishing—can cost your company $150,000 or more, it’s a rather big deal. But the big question is this: what in the heck can you actually do about it?
Users Are Natural Phish Bait – Hook, Line and Sinker
People aren’t just suckered in by e-mails and Facebook messages—they’re equally susceptible to other forms of phishing as well. A joint study by the University of Illinois, the University of Michigan, and Google found nearly half of people would not just pick up strange USBs they found lying around—they’d plug them in, open the files inside and click on unfamiliar links.
The study involved dropping hundreds of USBs in different locations. The first drives were connected in less than six minutes. In most cases, users were connecting them for innocent reasons—discovering the owner so they could return them (68%) vs out of curiosity (18%)—but they all lead to the same result. And in Australia, this very scam is being used right now.
It seems funny in an age when children are raised on tablets and smartphones that people’s general knowledge of IT security is so lax. So why do even people who have gone through counter-phishing training still fall for this sort of scam?
So Why Do Users Still Fall for It?
Counter-phishing research has discovered several reasons your users may still be falling for phishing attacks, despite having gone through counter-phishing training.
1. Even though users know there are risks, they don’t link these risks to their own situation. In short, they don’t believe it will happen to them.
2. While users can identify familiar risks, they have difficulties generalizing what they know and applying it to unfamiliar risks. E.g. Someone who knows clicking links in unfamiliar e-mails might be bad won’t apply this knowledge to doing the same in unfamiliar Facebook messages.
3. Internet users ignore counter-phishing warnings by toolbars provided by their ISPs or web browsers.
4. Since illegitimate e-mails are blocked by spam and anti-virus software, users place an unwarranted level of trust in e-mails they do receive when they slip through the net.
So, Is Counter-Phishing Training Useless?
As much as we feel that we’re hitting our heads against a brick wall, we’re actually not. Studies show that well designed security education can be effective. Web-based training materials, contextual training, and embedded training have been shown to improve users’ ability to avoid phishing attacks in the future.
Contextual training involves sending simulated phishing emails to your users to test their vulnerabilities. At the end of this, users are given materials to inform them about phishing attacks. It was discovered users who have seen an example in action and then received educational materials were better able to avoid future phishing attacks than those who just received only the materials.
A related approach, known as Embedded training, involves teaching your users about phishing during their regular e-mail use. The user is asked to answer e-mails in their inbox, two of which include simulated phishing emails. At the moment they click on a link in the training email, an intervention is staged to train them to not fall for the attack. By training at the exact point of time the mistake is made, an association is made between the mistake and the proper approach.
However, to play devil’s advocate, counter-phishing education has been around for years… and the problem hasn’t exactly disappeared. We seem to be able to reduce the risks of phishing to some degree with proper training, but the threat isn’t entirely eliminated. And approaches that target the non-user part of the equation seem to do more damage than good.
So is there a perfect way to deal with these pesky phishers, or are we stuck with having to drill in counter-phishing techniques into users heads and hope for the best?
One thing you can do is backup your data in case users leave the door open to malware or ransomware attacks. This year is turning out to be the worst for ransomware on record and emails are still the preferred infection route. By preemptively protecting your data, you’re not leaving things up to a 50-50 coin toss that your users will put counter-phishing training to good use. For small to medium businesses, we suggest BackupAssist (Free trial here).
Got any stories about your lovably thick users or counter-phishing training at your business?