Does Anti-Phishing Training Add Up to Protection from Phishing Attacks?
Posted on January 18, 2023
Phishing attacks are continuing to rise, reaching record levels in 2022. By some reports, over 3 billion phishing emails are sent worldwide, every single day. And it’s not just the quantity that is increasing. The appeals, as a whole, are becoming more sophisticated and more effective, and are being delivered by more diverse channels than ever before.
What is Phishing?
“Classic” phishing is an attack that is initiated with an email that includes either an attached infected file or a link to a malicious website. The website, in turn, may contain malware or be spoofed to resemble a legitimate website and is designed to harvest credentials from unsuspecting users. The emails, too, are often designed to look like they are from a well-known company, like Microsoft, Zoom or a government agency and include urgent messages designed to convince recipients to take action.
New Types of Phishing Attacks
Today, classic phishing attacks have been updated and sometimes surpassed in effectiveness by a handful of other types of phishing. These include:
- Spearphishing: Picture a scuba diver with a speargun who’s aiming at one specific fish. Similarly, a hacker on a spearphishing expedition targets an individual with a phishing email that is tailored to a particular person, based on information that’s known about the target.
- Whaling: Just as a whale is a big fish (well, technically a marine mammal that, for our purposes, we’ll call a phish), the target in a whaling attack is a high-level executive, typically C-suite, who has lots of authority – especially over financial approvals. Whaling is also referred to as business email compromise, or BEC.
- Vishing: Vishing is short for “voice phishing,” attacks that are delivered by way of a voice call instead of an email. The attacker will typically claim to be a rep of a known company that “needs” the user’s credit card number and/or asks the user to click on a malicious link or document that they send, often in the name of security.
- Smishing: Smishing is “SMS phishing,” meaning that the bait is delivered via text message. The text message may say something like “Your account has been compromised” or “Your package will be returned if you don’t provide a correct address immediately.” The messages generally include a link or phone number that will be used to steal information or deliver malware. “Mishing” is a Smishing variation that leverages instant messaging services.
- Clone phishing: With clone phishing, the attacker intercepts a legitimate message that the user has already received and alters it to contain malware or link to a cloned credential theft site. Often, additional text will be added to the subject or body that says, “following up” or something similar.
- Angler phishing: Anglers are fishermen who use a rod with bait on a line. In angler phishing, fake social media posts are the bait. LinkedIn is a special favorite for this kind of attack. To deal with the issue, the platform has recently added intermediation pages to encourage users to ascertain that they’re being directed to the site they expected.
Clever cybercriminals continually devise variations on the phishing theme, spinning up new ways to fool unwary users.
Training Your Users to Be Anti-Phishing Firewalls
Anyone who uses the internet, especially for work, has heard warnings about phishing. Many phishing emails are so obviously spam and are so poorly written that even unsophisticated users will identify them as dangerous and won’t click.
Billions of phishing emails are sent every day. Microsoft alone claims to detect and block 710 million each week. Despite this huge weeding-out, an estimated 1 in 5 phishing emails bypassed Microsoft defenses in 2022 and reached workers’ inboxes – and at the largest organizations, by one estimate, the bypass figure for Microsoft Defender exceeds 50%.
According to one training vendor, just under one-third (32.4%) of an average company’s users are at risk of clicking on a phishing email that they receive. A typical untrained user will continue to click through to an infected attachment or link about 25% of the time, once they’ve opened the email. The vendor that gathered these statistics claims to bring that rate down to just 3.9% with intensive, ongoing, year-round training.
A 90% improvement sounds impressive, right? But consider what it really means for your organization.
Here’s the math:
According to best estimates, of the 126 emails an average business user receives each day, 1.6% contain malware or phishing links. This means that an average business user who receives 120 emails per day is exposed to 10 phishing emails each week and 520 annually (phishers do not take two weeks of vacation.) A company of 1,000 employees will be exposed to 520,000 phishing emails a year. If users click “only” 3.9% of the phishing emails that they receive, we’re talking about well over 20,000 clicks on malicious emails every year for an average business.
Yet all it takes is one single click-through on a phishing email to expose your company to a potentially catastrophic cyberattack.
A Better Anti-Phishing Approach
Clearly, relying on anti-phishing user training to protect your digital assets is a recipe for failure. Instead of trying to train the most vulnerable elements in your defensive arsenal to be vulnerable only 4% of the time, shouldn’t you aim to protect them – and your business – all of the time?
With a Zero Trust approach to cybersecurity every website, every email, every user, is considered potentially hazardous unless verified as safe. By deploying technologies such as Remote Browser Isolation (RBI) with read-only access for unknown sites, and Content Disarm and Reconstruction (CDR) to protect against malicious attachments, you can achieve far better protection than through user training, and much more efficiently.
RBI protects against infected websites by opening all websites in an isolated container in the cloud, where malware cannot reach the company network or resources by way of the user’s device. CDR protects against infected file attachments by disabling any malicious active elements in attachments before they are delivered to the user, while leaving desired functionality intact.
Conclusion
There is a place for user training, but it should be focused on alternative attack vectors such as vishing. People need to know not to disclose sensitive information to unknown callers, and not to follow instructions from strangers – just like their parents taught them as kids.
But for protection against infected emails and websites, it’s far better to rely on Zero Trust technology than on user training.
Contact us to learn how ZTEdge can makes it easy for your business to streamline user access and productivity while upping your security game.
About Gerry Grealish
Gerry Grealish, ZTEdge CMO, is a security industry veteran, bringing over 20 years of marketing and product experience in cybersecurity, cloud, analytics, and related technologies. Responsible for marketing and business development, Gerry previously was at Symantec, where he led the product marketing and go-to-market activities for the company’s broad Network Security portfolio. Prior to Symantec, Gerry was at Blue Coat, which he joined as part of Blue Coat’s acquisition of venture-backed Cloud Access Security Broker (CASB) innovator, Perspecsys, where he was Chief Marketing Officer.Recent Posts
FTC Issues Cybersecurity Warning for QR Codes
QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.
Guarding Against the Storm: Insights from Australia’s Cyber Threat Report 2022-2023
Malicious cyber activity represents a growing threat to Australia's security and prosperity. Read on for important guidance on protecting your organization.
New SEC Cybersecurity Reporting Rules Take Effect
Risk assessment is a key factor in investment decisions. Now, with SEC disclosure rules in effect, investors can more easily take cyber risk into account.