We humans are problematic. We’re distracted, curious, and assume that bad things only happen to other people. These characteristics don’t bode well for enterprises which rely on employee awareness training to protect against phishing. Even after attending phishing awareness training, many employees are still not able to detect cleverly disguised spear-phishing emails, especially if they look like credible emails that they normally expect to see in their inboxes, such as corporate communications, password change notifications, and HR documents. In fact, a recent Intel Security study showed that 97% of people can’t identify phishing emails, which is especially worrisome since the number of phishing attacks is rapidly growing, with two-thirds of organizations experiencing targeted, personalized attacks.
Spear-phishing emails usually appear to come from a known sender or company and contain either weaponized attachments that can infect endpoints with malware or include links to malicious sites disguised as legitimate. The malicious sites often try to bait users into submitting confidential information that can result in credential theft. It only takes one person to download an attachment or click on a malicious link to cause a security breach.
How spear-phishing preys on the human psyche
Are you confident that your employees can detect a spear-phishing attack? Spear-phishing works because attackers do their homework and do it well. They study social media profiles, corporate websites, news websites, and press releases to select their targets. Then they create the spear-phishing bait - credible-looking, personalized emails that are designed to play on a person’s natural curiosity, by seeming to come from a known sender, referring to a past experience, or raising an interesting question.
Phishing awareness training provides employees with practical tips on how to identify phishing threats. These tips include looking for mismatched URLs and misleading domain names, poor spelling and grammar in emails, and requests for money or personal information. However, studies show that curiosity, overconfidence, and security fatigue can lead to employees taking the phishing bait, even if they know what to look for to detect phishing attacks. For example:
- A recent study by researchers at Friedrich-Alexander-Universitat (FAU) in Germany notes that curiosity plays an important role in employee behavior, especially when a mail is crafted to seem relevant to an employee’s day-to-day tasks. The study cites that 20% of email recipients will click on links from an unknown sender, even if they are aware of the risks. This percentage increases to 56% if emails are personalized to address the recipient by their first name.
- A new study from the University of Texas at Austin (UTSUA) identifies overconfidence as contributing to the success of phishing attacks. The study had subjects try to distinguish between genuine and malicious emails. Afterwards, the subjects explained why they chose to open the malicious emails. “Many times, people think they know more than they actually do, and are smarter than someone trying to pull off a scam via an e-mail."
- According to a study by the National Institute of Standards and Technology (NIST) security fatigue (a weariness or reluctance to deal with IT security) can result in risky computing behavior at work. Researchers interviewed subjects ranging in age from their 20s to 60s about their online computing behavior. The data showed that users feel overwhelmed by security issues, and are tired of being faced with hundreds of security-related decisions each day. This can lead to impulsive behaviors and failing to follow security recommendations.
Taking the human factor out of the equation
Since it’s human nature for employees to be curious, overconfident, and weary from being on the constant lookout for threats, security-minded enterprises should consider a phishing solution that does not depend entirely on employee awareness or responsible behavior. Web isolation has emerged as a leading technology to protect against malware and phishing. It creates a secure remote execution environment between users and the web, enabling users to safely browse the web without worrying about malware infections. In addition, credential theft is eliminated as websites can be rendered in read-only mode which prevents users from entering passwords and other sensitive information.
Web isolation relieves employees from the phishing guessing game by providing enterprises with an effective anti-phishing solution in addition to their anti-phishing training programs. For information on the Symantec Web Isolation phishing solution, we invite you to download our data sheet.