By now, nearly everyone with an email address knows to be wary of clicking links inside an email. However, nearly everyone has also clicked links inside an email. And therein lies the draw of phishing attacks for hackers. They know that humans can be trusted to abandon common sense if they are in a hurry, if the email looks like it came from an authoritative site, or if the email looks like it came from a colleague. In order to stop phishing attacks once and for all, humans and tech will need to work together.
Why Phishing Thrives
Hackers that wage phishing attacks know how to exploit human emotions and they know how to stay on pace with trends. Many attacks take advantage of the fear that comes after major hacks, posing as the hacked website and urging customers to click links to protect their information (when in reality they just want to steal it).
When it comes to corporate attacks, phishers can be a bit more creative. They can send emails posing as other members of the organization, which automatically lowers the recipients’ defenses. Emails that look like they come from Susan in accounting don’t seem malicious at all, and users will open attachments or click links without verifying the email is real. According to a recent report, 54 percent of companies still see phishing emails on a regular basis, even after educating employees and putting safety measures in place.
Security teams report the time it takes to detect malicious emails as one of the biggest obstacles they face in preventing phishing attacks. Coming in second and third were email forensics issues and removing phishing emails from mailboxes. Time is critical in a malicious email attack. Some experts estimate it takes less than 90 seconds for one user to interact with a phishing email that breaks through security measures.
Stopping Phishing Once and For All
The best way to stop phishing is for companies to wage a two-pronged defense on both the human front and the technology front. Improved forensics, mitigation, and remediation are important, but most IT security teams also stress that humans should be part of the equation, especially because hackers always seem to be one step ahead of security processes.
If your company is ready to wage war against phishing, you need a team that keeps pace with malicious email trends and is committed to the ongoing education of employees to ensure they are verifying all attachments and links, whether emails come from within the company our outside the organization. Many companies are starting to run drills where the security team wages a non-malicious “attack” by sending out a phishing email and tracking who clicks it. Many companies have had success by “scaring straight” their employees in this way.