Why all Businesses Are at Risk of Phishing Attacks?
Phishing continues to plague businesses. You must be thinking that by now – over a decade after criminals began sending emails impersonating banks to unsuspecting customers so they could steal credentials to bank accounts – we’d have the problem under control.
But, we don’t.
And what’s worse, we are seeing an increasing number of sophisticated spear phishing attacks – that is, phishing attacks targeting specific people within specific organizations for specific purposes. This form of social engineering is becoming an increasingly common way for criminals to breach an organization as the first step in an attack.
While phishing attacks may be more sophisticated than they were a decade ago, the basic attack mechanism remains the same as it has been for many years – criminals send a message that looks like it is from a legitimate business and trick users into clicking a link.
Why is phishing still around? Because it works.
And why does it still work despite a decade of anti-phishing technologies and training?
I think the answer is straightforward:
We have been focusing on technology, rather than on people. And when we do focus on people we often do it the wrong way.
Phishing does not exploit technical vulnerabilities. In fact, when someone is mis-routed to a phishing site we technically classify the attack as “pharming,” not “phishing.” Phishing simply leverages a technological medium to exploit an age-old human weakness – of people being unable to identify an impersonator as such. While technical weaknesses can often be best addressed with technical solutions, curbing phishing requires addressing human weaknesses.
As I noted last year in Forbes, “a primary reason why phishing continues to be an effective method of attack – even after a decade of anti-phishing efforts – is precisely because anti-phishing technologies are often designed to combat phishing by implementing technical ‘solutions’ rather than addressing the human source of the problem. Technical countermeasures can be circumvented, and if a human target is not otherwise shielded, problems occur.
Software that attempts to block or erase phishing emails before a user reads them, for example, does nothing if a user is directed to a rogue website via a text message, and may, at times, even aggravate the problem by lowering a person’s guard when a cleverly constructed email does reach the user; the recipient thinks that illegitimate emails are blocked, and, therefore, grants unwarranted trust to messages that he or she does receive.”
If we want to stop phishing, we need to not only train people, but to implement technology that helps them understand when they are being phished. Sometimes this is accomplished with frequent reminders in the form of training emails that impersonate what a phisher might send, sometimes with visual cues on websites and emails that simplify the process of distinguishing between legitimate parties and imposters, sometimes through robust digital signature systems and PKI.
It goes without saying that formal information security training can also help.
Regardless of what approach or approaches you choose to take, make sure that you are not limiting the defense to specific media: if you only protect against phishing emails, you may be in for a rude awakening if someone is misrouted to a nefarious website.
As I have said before: Ultimately, information security is not about technology. It is about keeping people safe in an increasingly electronic world. And you cannot do that if you don’t address human issues.
Loved the article? Suddenly interested in the world of Information Security? Get a professional certification to position yourself at the front of the pack.
About the On-Demand Webinar
About the Webinar