SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Technology, not training, protects users from phishing
Thu, 21st Oct 2021
FYI, this story is more than a year old

This message might seem familiar to you: ‘Your bank account has been compromised. Please enter your details to reactivate your account.'

If you are nodding in agreement, you are probably one of the many who have been targeted by cybercriminals. Phishing remains a top mechanism to dupe consumers out of their accounts and assets — the above is just one example of a phishing email sent from seemingly trustworthy entities. Well-designed phishing emails are found behind 91% of all cyberattacks, proving just how dangerous these threats are.

But phishing isn't just a risk for consumers; it is also one of the top security challenges businesses face in keeping their information secure. In fact, it is estimated that there were nearly 3 million phishing attempts in 2020 aimed at small and medium businesses based in Southeast Asia.

Businesses urgently need to properly guard themselves against such attacks, and many are turning to cybersecurity training to boost employees' cyber risk awareness. The question is: Just how effective is training in putting an end to these scams?

The loophole in phishing education

Businesses have traditionally relied heavily on educating end-users on how to detect phishing attacks. There are countless materials available for employees to learn about phishing prevention tactics, from double-checking email spelling to calling up someone you regularly communicate with when something you get from them seems off.

There are even examples of businesses getting creative with how these trainings are rolled out. Last December, GoDaddy.com conducted a phishing test by sending 500 employees an email offering a $650 holiday bonus. The catch is that employees who clicked the link were not rewarded with a bonus, but with additional cybersecurity training.

While end-users do become more sophisticated with training, it can only go so far. Hackers are becoming even more sophisticated with their attacks, employing complex infrastructures on their phishing sites. End-users may find it challenging to identify illegitimate sites or differentiate them from the real ones. Some of these scheming tactics include using seemingly reliable sharing links, such as Dropbox, and placing calendar events with video conferencing links that appear standard in phishing emails.

In fact, a psychology study showed that when it comes to phishing attacks, people tend to believe that they are less likely to participate in risky behaviour and are less susceptible to scams than others around them. This creates a false sense of security towards such attacks.

To make things worse, these scams often involve social engineering techniques to deceive and manipulate individuals into taking the desired action — usually to click on a link or download an attachment. They also take advantage of the nature of workers collaborating and conducting business online, as actions often need to be taken quickly. Designed to prompt an urgent, emotional reaction, many of these scam emails push individuals to forego logic and overlook red flags, until it is too late.

These intrinsic, emotional reactions show how humans are practically hardwired to fall for these phishing scams. If that is the case, it is not training we should be looking at, but technology to keep our information secure.

Technology for a safer, easier user experience

If users cannot be trusted with their actions, then the only way forward is to evolve the way they are authenticated to make sure malicious actors are kept out. This means reducing the burden of authentication of the user in favour of relying on technology.

There are already technology options available that businesses can adopt to protect against phishing attacks and make the lives of users easier and safer. Cryptographically secure authentication, for example, keeps login information secure and private, helping businesses provide a safer and better user experience.

Such solutions utilise technical credential phishing protections. With these approaches, the device and the browser work behind the scenes to ensure that the website being visited is authentic and not a phishing site hiding behind a lookalike domain. This prevents common mistakes, such as mistaking a ‘0' for an ‘O'. As a result, users no longer need to worry about having to look out for such attacks, and instead, will be able to let the device take care of these details.

These standards can also be implemented in a more user-friendly manner than depending on passwords or traditional means of multi-factor authentication. For example, the on-device biometrics on most PCs or handsets can serve as an unphishable authenticator instead of relying on knowledge-based factors that can lead to user manipulation.

The good news is that this industry standard is already used by businesses like eBay, Google, GitHub, and Facebook to secure their authentication technology, so businesses looking to secure their information don't have to tread into the unknown.

More importantly, these standards are phishing-proof, and do not rely on unpredictable factors such as our human minds. Google, for instance, has not had any of its employees successfully phished on their work-related accounts since implementing FIDO authentication — proving the strong security of these standards.

We don't know better, but we can act better

Preventing credential phishing attacks today should be less about training users — instead, it should focus on adopting an authentication technology solution that actually works to prevent successful phishing attacks. While training users reduces the risk, it will never remove it.

Defending against these attacks now requires a coordinated and layered approach to security. By creating a succession of hurdles, each additional hurdle makes it less likely for malicious attacks to get through.

As businesses strategise for rebuilding and recovery, and prepare for a new post-pandemic ‘normal', they must continue to focus on all aspects of cybersecurity. They should prioritise utilisation of readily available authentication technologies to prevent the ongoing phishing threat.