Phishing remains, despite widespread knowledge and precaution, one of the most prolific and successful of all crooked methods used to gain access to your accounts and/or sensitive data. While many know the risks, far fewer seem to comprehend just how at-risk their organization is from the co-opting of users via phishing scams.
Why exactly is phishing so popular among cybercrooks? One of my favorites phrases is “Stick to your knitting“, an adage extolling the virtue of focusing on your skills and not giving up. Well, phishers take this adage, turn it on it’s head, and give it a bit of a twisted spin: They like to stick with focusing on what humans are bad at doing in general – maintaining a constant state of vigilance and keeping our guard up.
Honestly, keeping your guard up gets tiring. We like to get to a point where we can let our guard down and not have to think twice about placing trust in one another. This is essentially what marriage is, or at least part of it – certainly one of the aspects which makes marriage attractive.
Phishers rely on the fact that someone, somewhere, at some point, is going to let their guard down just enough to open the user and the organization up to compromise. When maintaining a steady stream of spam e-mail and bogus URLs really doesn’t require that much effort, why not forget active measures and just let the user bring the goods directly to you?
This is why I identify two key human elements in preparing users for their inevitable encounters with phishing attempts:
1. Training and Education.
Some users simply have no idea what to look for, so how can you expect them to identify a phishing attempt when it comes their way? You’re setting users up for failure otherwise. A bit of education on the basic signs of spam e-mail can go a long way: poor grammar, strange e-mail addresses, out-of-the-norm requests or orders, and basically anything that asks you for login credentials in any way, shape, or form.
I knew a user at a client site who once received an e-mail from their boss asking them to buy a bunch of gift cards, type out all the gift card numbers, and forward them all of the numbers as part of something related to employee incentives or charity. Of course, it wasn’t really from their boss – and it wasn’t for charity. It was a classic scam.
Unfortunately, the user fell for it. You know what? There, but for the grace of God, go I; it’s not like I couldn’t fall for something similar if the scam is sophisticated enough. But in this case, some education could’ve gone a long way. If it had been drilled into this user’s head from day one to NEVER send money or it’s equivalent via e-mail to anyone asking for it outside of a secure, pre-defined process – a point which we’ll get to in a minute – then they might have been able to avoid disaster.
Training to recognize the signs of phishing should be an ongoing process. Whatever you need to do to get the training out there – Powerpoint, training document, whatever – needs to be done on a regular basis. In addition, it may not be a bad idea to share examples of phishing attempts with users anytime one is received in the organization. It’s good for others to see what’s actually being sent to users in preparation for their own brushes with scammers in the future.
2. Organizational Processes
This human element is a bit harder to quantify, and requires more work. It’s also an idea of my own creation, so maybe a learned expert in organizational communication and cybersecurity would differ – in which case, please comment and make your case known.
If you want users to approach phishing attempts with the right mindset, it’s good to inculcate an environment in which common phishing techniques are not just strange but foreign to how workflow and communication are usually done.
For instance: A common phishing technique is to send a high-pressure message in which the scammer requests money/credentials/whatever and threatens serious consequences for not doing so quickly – like receiving a threatening but fake e-mail from Facebook in which they claim that your profile, photos, and friends will be quickly deleted unless you sign in using a link provided in the e-mail.
A user once told me a humorous story in which they received an urgent e-mail from their boss asking them to wire $5,000 to an overseas client lest they lose a major contract – except that their boss was literally sitting right next to them, obviously defusing the whole scheme with a simple question.
But more than just that, they mentioned a process in place meant to formalize how a request like that would actually be done – designed with safeguards meant to help prove identity before carrying out the order. This is what I’m referring to: organizational processes in place which help remove the unknown “grey area” factors ripe for exploitation by outside parties.
These are just some thoughts on addressing the human factors in dealing with phishing attempts. There are a lot of useful technology components which also come into play, but there aren’t enough technology safeguards in the world to protect against a phishing attempt where the human element is unprepared.