Psychology of phishing attacks

In cybersecurity, the human condition is the most frequent and easiest target. For threat actors, it is usually most effective to exploit human targets rather than developing and deploying exploits. As a result, attackers often target employees of the organization first, usually through phishing attacks.

Phishing is a social engineering attack in which a threat attacker sends a rogue communication (usually an email). This appears to be from a trusted source and gives the reader timeliness. The FBI’s 2021 Internet Crime Report analyzes data from 847,376 reported cybercrime and finds that the number of phishing attacks has skyrocketed from 25,344 in 2017 to 323,972 in 2021. did.

Advanced phishing

Early email phishing attacks typically included fraudulent messages with improper wording to trick users into sending money to fraudulent bank accounts. It has since evolved into sophisticated and well-crafted social engineering attacks. In today’s digital world, everyone knows that phishing is bad, but trust is still the main vector of these attacks. Threat actors investigate the target. They look at civil servant profiles and posts, vendor relationships, and whether the organization’s HR department uses certain types of portals to convey information. The basis for all of these potential fish is the implicit trust that employees have in their existing relationships.

The commonality of these attacks does not mitigate their risk. Verizon said phishing was the first attack vector for 80% of security incidents reported in 2020 and one of the most common vectors of ransomware, a malicious malware attack that encrypts data. I reported. Phishing was also the gateway to 22% of data breaches in 2020.

In addition to implicit trust from known senders, successful phishing emails prey on readers’ emotions and create a sense of urgency by applying them. Just enough pressure To fool hard-working users otherwise. There are different ways to put pressure on other reasonably rational employees. Spoofed emails that appear to come from an authorized person take advantage of the impact of departments such as bosses and HR on readers. Social conditions such as reciprocity, perhaps helping colleagues, consistency, and paying vendors and contractors on time to maintain good relationships also affect readers’ clicks on phishing email links. May be given.

According to the Tessian Research report Psychology of Human Error 2022, a follow-up to the 2020 report at Stanford University, phishing emails appeared to come from senior company executives, so 52% of people clicked on phishing emails. Did. 41% in 2020. In addition, when employees are tired, they are more error-prone and are regularly exploited by threat attackers. Tessian reported in 2021 that most phishing attacks were sent between 2 pm and 6 pm. This is a post-lunch slump that is most likely to make employees tired and distracted.

Employees may hesitate to report a phishing incident after realizing that they are acting against their trust and being fooled. They are likely to feel sick and may even be afraid of retaliation from the organization. However, reporting an incident is the best scenario. Putting employees victims of phishing scams and cleaning them under the floor covering is a way for cyber events to spiral into large-scale cyber incidents. Instead, organizations need to create a culture in which cybersecurity shares responsibility and facilitate open dialogue on phishing and other cyber threats.

Cybersecurity is difficult, but learning about it doesn’t have to be

Organizations that have a successful cybersecurity debate make this topic relevant and familiar to all employees. To facilitate open dialogue, organizations need to adopt a defense-in-depth strategy. It is a combination of technical and non-technical controls that mitigate, mitigate, and respond to cybersecurity threats. Security awareness training is just one part of the defense-in-depth puzzle. To truly build a robust security program, you need to implement various mitigations in your enterprise environment.

Annual security awareness training does not adequately explain the human factors exploited by phishing attacks. An example of a compelling training program comes from the curriculum, a security awareness organization. The curriculum uses behavioral science and technology, such as storytelling, to influence employee training. The goal of the curriculum’s storytelling approach is to influence employees so that they can remember and remember the information they use in real-world scenarios (or borrow from threat actors). There are benefits to their approach. A curriculum customer reported that the click-through rate of more than 600 employees dropped from 32% to 3% in six months after launching a training and phishing simulation program.

Properly equipped with the tools, knowledge, and resources, previously distracted and freed employees become the greatest line of defense against phishing, ransomware, and malware as a human firewall.

To be successful, management needs to be involved in the process — and training

Part of understanding the human condition is to understand that optimizing the security culture requires budgets and tools to secure the technical resources to prevent, mitigate, and transfer digital risks. Organizations can feel false reassurance when they pass a security audit or certification. Still, as the past few years have shown, digital risk is constantly evolving, and threat attackers do not hesitate to use national or global tragedy to turn cybercrime into profit. Threat actors routinely target organizations because of poor technology choices and ignoring factors such as industry, size, and the type of data they protect.

In addition, executives are bound to succeed in phishing attacks. Spearfishing or whaling attacks target specific executives in an organization. In 2017, it was announced that two tech companies, widely speculated to be Google and Facebook, were the victims of a $ 100 million spear phishing attack. US lawyer Yong Kim called the event a wake-up call that could be a victim of phishing.

The digital economy continues to change rapidly. IDC reportedBy 2023, 75% of organizations will have a comprehensive digital transformation implementation roadmap, up from the current 27%.

To truly prosper and survive the next stages of digital risk associated with these transformations, organizations first build a strong culture of security and employ tools to recognize, respond to, and report phishing and other attacks. Must be provided to personnel. In addition, you can create a defense-in-depth strategy by layering appropriate tools such as multi-factor authentication, endpoint detection and response, and even strong cyber insurance partners. This layered defense approach helps organizations prevent cyber events such as phishing from turning into disruptive cyber incidents such as data breaches and ransomware attacks.

Tommy Johnson is a cybersecurity engineer at Coalition.