Why phishing works: It exploits human gullibility
- Posted on November 27, 2018
- Estimated reading time 3 minutes
This article was originally published on Security Boulevard.
When trying to break in to any organization, a hacker may find it easy to get an employee to slip up. Usually, this takes the form of social engineering tactics in which the hacker either “sweet talks” a target or gets the victim to provide needed information because they’re too busy to look up the information themselves. In fact, one of the most notable hacks of the past few years—the hacking of the Democratic National Committee—was achieved through social engineering by Russians pretending to be Google.
Phishing has evolved from a scatter-gun approach as a generic email sent to millions of people with the expectation of a low percentage of hits to a targeted campaign designed to exploit a select few. It’s well-known that banks and major organizations will not ask for your password through email. However, hackers have evolved their strategies and now carefully craft and target their message so they can easily lure unsuspecting employees. A recent article on phishing noted that attackers are now also using extortion tactics, leading with a fragment of information about you and then demanding that you pay them to retrieve all of the captured information.
Phishing tests to keep employees on their toes
Many organizations regularly run phishing tests to keep employees aware of phishing tactics. Every few weeks an email is sent that tries to entice a staff member to click on something or open an attachment. Employees that take the bait receive a subsequent message alerting them it was a phishing test and they should be more careful. Another option is to deploy a reporting function into the organization’s email system.
An Avanade client who regularly features as one of the best employers globally sent out a phishing test email around Christmas asking employees to click a link to claim their voucher for a free Christmas lunch. The results were astonishingly bad, with a failure rate around 80 percent—that’s 4 out of 5 employees who thought the email was a genuine offer. All types of employees all around the globe, including several senior security professionals, fell for the phishing test email.
It was an important lesson for everyone involved. People tend to believe that anything offered free from a credible source is probably true and claimable. This thought process can and will be exploited. I have to admit, I also clicked on one such email early in my career as a security consultant. In that case, the email said I was eligible for a replacement laptop and that I needed to open an attachment to fill in my details.
Wetware is weak
Hackers know that people are gullible; that’s why phishing is one of the most popular and only effective way to get in to a network. Wetware, also called humans, is one of the weakest defenses for a hacker to exploit.
Sometimes the pendulum swings too far and legitimate emails are reported as suspicious, making it more difficult for people trying to send out valid information. Safelinks is a feature provided by Microsoft’s Office 365 Advanced Threat Protection (ATP) subscription, which helps an organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents.
There are, of course, other products in the market that can help with malicious links in emails. Other measures may include sending out emails from the company domain rather than through an external bulk mailing system and sending out targeted emails instead of generic emails. I trust emails that come from someone I know within the company or that get cascaded to my boss, who then forwards them on.
A combination of regular training to spot malicious emails and technical workarounds can help reduce the phishing problem and will go a long way to making our workplaces safe and secure.