The Anti-Phishing Insights Every CISO Should Know
The unfortunate reality remains that, even in 2022, phishing attacks continue to be the most persistent and often most disruptive form of information security attack facing organisations.
In fact, in this year's Cyber Security Breaches Survey, published by the UK Government, it was found that of those medium to large businesses who identified attacks or breaches in the preceding 12 months, a staggering 94% reported experiencing some form of phishing attack.
As the threat of phishing continues to grow and evolve, organisations also need to be expanding and evolving their understanding of how to effectively mitigate this risk and improve their anti-phishing practices.
With this in mind, Hut Six has been scouring the research to find some of the latest and most relevant insights to help fight back against the attackers. Below are our top 5 anti-phishing insights that we think every CISO should know.
Users Overestimate Technical Protections
Although organisations and security professionals invest significant time and resources into implementing technical measures to prevent successful phishing attacks, the truth is no system is perfect.
No matter how good the spam filter, no matter how advanced the firewall, phishers will always find a way of getting around these protections and into the inboxes of users. For security professionals, this is a given, but for a certain proportion of users, this may not be so obvious.
In this 2018 study, researchers analysed data relating to a four and a half year phishing awareness campaigned conducted inside of a U.S government research institution. Amongst their findings was the discovery that those users who had fallen victim to simulated phishing attacks tended to "overestimate the technological phishing detection system of their company."
In other words, those who were more likely to fall for phishing attacks believed that organisational measures designed to protect them, were more effective than those who did not fall prey to simulated attacks.
"While it is good that staff are aware there are indeed institutional security measures in place, having too much faith in such mechanisms can be dangerous if it leads staff to a false sense of total security."
From this observation, which some term the 'boomerang effect', it is reasonable to hypothesize that organisations would be best advised to make it explicitly clear to employees the fallibility of their protective systems to help dissuade overly-assured users from feeling invulnerable.
By acknowledging these technical limitations within anti-phishing training and communications, the need for individual user responsibility can be emphasised, and thus become a part of an organisation security culture.
Larger Workloads Reduce Phishing Detection
Inattentional blindness is a well-established psychological phenomena whereby individuals reliably fail to notice a fully observable, but unexpected object, event, or task, because of attention being directed elsewhere.
One of the most well-known demonstrations of this is the 'Selective Attention Test' devised by Christopher Chabris and Daniel Simons, in which viewers are asked to count the number of times a ball is passed back and forth between several 'players'. Often unnoticed by viewers, is the fact a person in a gorilla suit briefly appears in the middle of the exercise.
Despite being quite humorous, this experiment illustrates an important aspect of human information processing that is highly relevant to security compliance, as it has been shown that users who are operating with high workloads and/or decreased 'cognitive involvement', are less likely to detect malicious communications.
In this 2020 study, conducted within the healthcare sector, researchers found that of all the various factors they investigated (including perceived behavioural control, subjective norms, and attitudes), employee workload was the only factor to positively relate to noncompliance behaviour (i.e., clicking on phishing emails).
An effect which has been observed in multiple pieces of information security research (examples here and here), this finding is inherently challenging. All organisations strive to have as a productive workforce as possible, yet by placing too great a burden upon employees, a company opens itself up to an increased likelihood of users failing to detect phishing attacks.
Although in this case, the facts themselves do not present a clear course of action, it seems a worthwhile consideration for security professionals to ponder what they can do to address the delicate balancing act that is effective information security.
Spelling Mistakes Don't Mutter (as Much as You'd Think)
The subject of spelling mistakes is one that has sparked interest for many years, and if you were to search this topic, you would find many articles positing theories of why poor spelling and grammar is so common in phishing emails.
As you may know, one of the most common theories postulates that phishers deliberately include these errors as an intentional method of selection. Effectively weeding out the more astute and savvy users as to focus efforts upon the most promising of potential targets. A theory which may very well be true.
But what you probably did not know is that there is evidence that spelling and grammatical errors do not impact users' ability to detect a phishing email.
In a 2016 paper entitled 'Individual processing of phishing emails: How attention and elaboration protect against phishing', researchers found that having introduced typographical/spelling errors into a series of phishing emails, subjects in the experiment were no more likely to detect the inauthentic communications.
One reasonable explanation for this effect is the phenomena known as 'typoglycemia', by which humans are readily capable of recognising (mostly short) words via the first and last letters alone, providing the middle part of the word still contains the correct letter features.
"Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae."
That being said, it is also worth pointing out that separate research has found that "compared to genuine emails, phishing emails are more likely than genuine emails to have spelling or grammatical errors", so although users may not be highly focused upon such errors as 'phishing cues', if the proper attention is paid, these errors do offer users the opportunity to increase the likelihood of detecting a phishing email.
Technical Staff are Just as Susceptible
Of all the insights included in this list, this one will probably come as something of a surprise to most security professionals, but multiple investigations into demographic factors suggest that those working in technical departments are no less likely to fall for phishing attacks than those in non-technical departments.
One such 2021 study, conducted at a large higher education institution in Australia, found that even the percentage of phishing victims within the university's Department of Information Technology (highly-educated information technology academics) was no lower than in other departments.
A discovery mirrored in a 2020 study targeting almost 7,000 faculty and staff at George Mason University (Virginia, U.S), which similarly concluded "there is no statistically significant association between department type and phishing susceptibility" and that there is "no evidence indicating that employees from technical colleges are less likely to fall for phishing than from other departments."
Also observed in the private sector environment, these results seem to suggest that despite individuals having the theoretical knowledge and technical expertise that should allow them to easily spot a phishing attack, these skills do not appear to translate into measurable performance metrics.
Though there will undoubtedly be some who are dismayed at this finding, this insight does demonstrate that anti-phishing training is a worthwhile investment for staff in all areas of an organisation.
Training Needs to be Ongoing
We all know that when learning a new skill, practice makes perfect. Well, as many studies have found, the same is true for users avoiding phishing attacks.
Although providing a single, or even annual training session for users may have some level of effect, to ensure that the gained anti-phishing knowledge is retained, a variety of different research (here, here, & here) has concluded that an anti-phishing program needs to be designed as an ongoing process. Ideally one which is "integrated into users' daily workflow and mimics actual attacks as closely as possible."
"Phishing campaign managers need to organize multiple successive simulation/training cycles to cultivate a phishing awareness culture."
As we saw in the previous insight, it is not merely enough for users to have the technical knowledge. This knowledge needs to be put into continual practice, in a way which allows individuals to retain this information and adopt these new behaviours into routine.
Termed by some as 'Persistent Training', there is still some level of discussion about optimal regularly, with most experts landing somewhere between 3 and 5 times a year. And while that may sound like a lot, techniques such as embedded training (i.e., simulated phishing attacks which link to resources) can easily be sent this regularly without annoying users with excessive frequency or disrupting productivity.
The added bonus of this form of training being that organisations can gather ongoing information and metrics as to how well their staff can identify and avoid phishing emails, while also steadily and deliberately increasing the difficulty of such campaigns, thus mimicking the sophistication of modern and genuine phishing attacks.
As with any field involving complex human behaviours, it is worth noting that these insights have been collected here to assist information security professionals in understanding and implementing training programs, and while the greatest effort has been made to represent the science as accurately as possible, contradictory findings are certainly out there.
For those looking for a more in-depth analysis of a wide range of anti-phishing training literature, you may find the following paper to be a particularly interesting and insightful read containing many useful references.
'Don't click: towards an effective anti-phishing training. A comparative literature review' (available here).
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Cyber awareness helps reduce human error and insecure behaviours. Examining how the psychology of behaviour change will help us deliver effective awareness campaigns.
An email security policy is a document describing how an organisation's email system should, and most importantly, should not be used.
When Human Error is found in information security, it is often avoidable errors that allow much larger consequential problems to arise.
Investing in Information Security Awareness Training - educating people against cyber threats should be considered essential for any organisation operating in 2021
How Secure is Microsoft Teams? Information Security blog by Information Security Awareness solution provider Hut Six Security
Best Ways To Ensure Enterprise Data Regulation guest blog by technivorz.com and information security awareness solution Hut Six Security.
Writing a Disaster Recovery Plan: information security planning blog by information security awareness solution provider Hut Six Security.
Security program policies blog by information security awareness training provider Hut Six Security.
Security awareness training for Cyber Essentials blog by information security awareness training provider Hut Six Security.
Information Security Awareness Training in 2021 blog by information security awareness training platform Hut Six Security