THIS message might seem familiar to you: “Your bank account has been compromised. Please enter your details to reactivate your account.”
If you are nodding in agreement, you are probably one of the many who have been targeted by cybercriminals. Phishing remains a top mechanism to dupe consumers out of their accounts and assets—the above is just one example of a phishing e-mail sent from seemingly trustworthy entities. Well-designed phishing e-mails are found behind 91 percent of all cyberattacks, proving just how dangerous these threats are.
But phishing isn’t just a risk for consumers, it also is one of the top security challenges that businesses face in keeping their information secure. In fact, it is estimated that there were nearly 3 million phishing attempts in 2020 that were aimed at small and medium businesses based in Southeast Asia.
There is an urgent need for businesses to properly guard themselves against such attacks, and many are turning to cybersecurity training to boost employees’ cyber risk awareness. The question is: Just how effective is training in putting an end to these scams?
THE LOOPHOLE IN PHISHING EDUCATION
BUSINESSES traditionally have relied heavily on educating end users on how to detect phishing attacks. There are countless materials available for employees to learn about phishing prevention tactics, from double-checking e-mail spelling to calling up someone you regularly communicate with when something you get from them seems off.
There are even examples of businesses getting creative with how these trainings are rolled out. Last December, GoDaddy.com conducted a phishing test by sending 500 employees an e-mail offering a $650 holiday bonus. The catch is that employees who clicked the link were not rewarded with a bonus, but with additional cybersecurity training.
While end users do become more sophisticated with training, it can only go so far. Hackers are becoming even more sophisticated with their attacks, employing complex infrastructures on their phishing sites. End users may find it challenging to identify illegitimate sites or differentiate them from the real ones. Some of these scheming tactics include using seemingly reliable sharing links, such as Dropbox, and placing calendar events with video conferencing links that appear standard in phishing e-mails.
In fact, a psychology study showed that when it comes to phishing attacks, people tend to believe that they are less likely to participate in risky behavior and less susceptible to scams compared to others around them. This creates a false sense of security toward such attacks.
To make things worse, these scams often involve social engineering techniques to deceive and manipulate individuals into taking the desired action—usually to click on a link or download an attachment. They also take advantage of the nature of workers collaborating and conducting business online, as actions often need to be taken quickly. Designed to prompt an urgent, emotional reaction, many of these scam e-mails push individuals to forego logic and overlook red flags, until it is too late.
TECHNOLOGY FOR A SAFER, EASIER USER EXPERIENCE
IF users cannot be trusted with their actions, then the only way forward is to evolve the way they are authenticated to make sure malicious actors are kept out. This means reducing the burden of authentication of the user in favour of relying on technology.
There are already technology options available that businesses can adopt to protect against phishing attacks and make the lives of users easier and safer. Cryptographically secure authentication, for example, keeps login information secure and private, helping businesses provide a safer, and better user experience.
Such solutions utilize technical credential phishing protections, like those defined in industry standards like those from the FIDO Alliance and W3C. With these approaches, the device and the browser work behind the scenes to ensure that the web site being visited is authentic and not a phishing site hiding behind a lookalike domain. This prevents common mistakes, such as mistaking a ‘0’ for an ‘O’. As a result, users no longer need to worry about having to look out for such attacks, and instead will be able to let the device take care of these details.
WE DON’T KNOW BETTER, BUT WE CAN ACT BETTER
Preventing credential phishing attacks today should be less about training users and instead focus on adopting an authentication technology solution that actually works to prevent phishing attacks. While training users reduces the risk, it will never remove it. Defending against these attacks now requires a coordinated and layered approach to security. By creating a succession of hurdles, each additional hurdle makes it less likely for malicious attacks to get through.
As businesses strategize for rebuilding and recovery, and prepare for a new post-pandemic “normal,” they must continue to focus on all aspects of cybersecurity and should prioritize utilization of readily available authentication technologies to prevent the ongoing phishing threat.
Image courtesy of Markus Spiske on Unsplash