The bad guys use phishing because it works, and it works because it exploits weaknesses in human psychology and organisational culture. We won’t fix cybersecurity until we fix those things.
Ninety percent of cyber-attacks start by someone clicking on an email, said Royce Curtin, head of intelligence at Barclays Bank, at the company’s New Frontiers conference earlier this month.
“People are the weak link,” the company tweeted as he spoke.
Curtin didn’t need to pick that number purely for rhetorical effect. There’s research to back it up.
We know, for instance, that spear phishing is a favored technique of advanced persistent threat (APT) groups. We know that email is how the Bad Things get to us. And we know that imperfect, distracted, fallible humans don’t always notice when an email is really a container for Bad Things in camouflage.
Trend Micro made the point in the title of their 2012 white paper Spear-Phishing Email: Most Favored APT Attack Bait. They found that “91 percent of targeted attacks involve spear phishing emails”.
“APT campaigns frequently make use of spear phishing tactics because these are essential to get high-ranking targets to open phishing emails. These targets may either be sufficiently aware of security best practices to avoid ordinary phishing emails or may not have the time to read generic-sounding messages. Spear phishing significantly raises the chances that targets will read a message that will allow attackers to compromise their networks,” Trend Micro wrote.
PhishMe, a company that provides phishing threat management with a human focus, reported the same 91 percent figure in their 2017 Phishing Defense Guide [PDF].
“Phishing remains the No. 1 attack vector today because it works … Employees are easier targets due to their susceptibility to various emotional and contextual triggers,” the company wrote. Their analysis showed that two of the three most successful emotional triggers were fear and urgency
Fear and urgency are a normal part of everyday work for many users. Consider that most employees are conscientious about losing their jobs due to poor performance (fear) and are often driven by deadlines (urgency), leading them to be more susceptible to phish with these emotional components.”
Meanwhile in New Zealand, the University of Otago analyzed the impact of spear phishing attacks starting in June 2013.
They found that when employees fell for a phish, they were usually away from their desk, using mobile devices which didn’t necessarily display the email in full. It usually happened outside business hours, too, either late at night when they were tired or first thing in the morning when they were busy starting their household’s daily routine.
“This expectation that we’re going to ask people to work long hours, be on call to answer emails and queries at any time, has a huge downside, and that’s about managing expectations,” said Mark Borrie, the university’s information security manager, at the AusCERT Information Security Conference in 2015.
Organizations implicitly train users to respond to bad emails, said Borrie, by allowing inconsistent-looking email systems to be used. He cited a student timetable system that sent emails not from the university’s otago.ac.nz domain, but the username otago-m at an external .com domain, and those emails contained a clickable link to a second, different external .com domain.
In a nutshell, then, organizations create the very conditions that will increase their employees’ vulnerability to phishing attacks.
Phishing awareness training exists, of course, but it has limited effectiveness.
In 2016, researchers at Germany’s Friedrich-Alexander-Universität (FAU) found that even when users knew that clicking on a link could be risky, they still clicked on it. In their research, 56 percent of email recipients, and around 40 percent of Facebook users, clicked on a link from an unknown sender.
While 78 percent of participants said they were aware of the risks, the most common reason given for clicking was curiosity.
Curiosity was the other top three emotional trigger identified in PhishMe’s research, along with fear and urgency.
“You don’t stop phishing attacks by raising user awareness,” PhishMe wrote, but that isn’t an argument against anti-phishing training. “Focusing on awareness isn’t the point. The real solution is behavioral conditioning,” the company wrote.
“With this level of understanding, we can condition our employees to be on the lookout for their natural reactions to malicious emails, and to use those reactions as a trigger to look more closely for technical and process errors in what they are seeing.”
The organizations that will succeed in this strategy will have developed a workplace culture where fear and urgency are not business as usual, but are red flag indicators that something is going wrong.
They will also have a culture where questioning the instructions in a message, or pointing out that things are going wrong, are seen as being smart and being resilient, not as a sign of incompetence, not being a “team player”.
But of course every organization already has that culture, right? If not, Royce Curtin will be citing that 90 percent figure for years to come