Despite mandatory security awareness training in many companies today as well as the increasing adoption of email authorization methods such as SPF and DMARC to prevent phishing email messages from landing in user’s inboxes, why does social engineering, particularly phishing emails, continue to be a significant security risk for companies? To try to answer that question, I turned to the internet to shed some light on the topic; needless to say, there were lots of statistics attributing phishing attacks to some of the biggest data breaches of the last several years, but such a high level summary doesn’t provide us with root cause analysis or actionable insight, does it?
To get to the heart of the matter, I scoured through research papers on phishing from universities such as Harvard and UC Berkeley as well as studies done by individuals in the field of security. Putting aside any discussions on email security or anti-phishing technology, here are the three reasons people fall for phishing emails:
- People are curious and make an emotional connection to the content
- People don’t spend enough time to look for the cues indicative of phishing
- People are not aware of the cues indicative of phishing
These three reasons strongly suggest that users need more training on how to identify phishing emails and be taught alternative ways to safely confirm emails they receive. On the other hand, there are proponents that debate the effectiveness of anti-phishing training and argue on the detrimental effects of putting employees on a constant state of “high-alert”. Unfortunately, until machine learning one day helps us to solve this problem of phishing once and for all, trade-offs are necessary as is the necessity for security training.
Benenson, Zinaida. “Exploiting Curiosity and Context.” Www.blackhat.com. Blackhat, July 2016. Web. Aug. 2016.
Dhamija, Rachna, J.D. Tygar, and Marti Hearst. Why Phishing Works. Eecs.berkeley.edu. Conference on Human Factors in Computing Systems, Apr. 2006. Web. Sept. 2016.
Ollmann, Gunter. The Phishing Guide. Www-935.ibm.com. IBM, Apr. 2010. Web. Sept. 2016.
Tally, Greg, Roshan Thomas, and Tom Van Vleck. Anti-Phishing: Best Practices for Institutions and Consumers. McAfee. McAfee, Sept. 2004. Web. Sept. 2016.