We read about high profile phishing attacks and warnings nearly every day in the news. So you would think that such audacious phishing attacks on government and business organizations alike would serve as dire warnings to users. Yet attacks are so prolific and increasingly sophisticated that they almost always ensnare some unsuspecting and unlucky victim. At the same time, organizations continue to spend millions of dollars on technology and training for employees to recognize suspicious emails. So why do so many people still click?
Research from the National Institute of Standards and Technology research has uncovered one reason, and the findings could help chief information officers and other cybersecurity officials provide a better defense.
According to an analysis by TrendMicro, organizations worldwide could lose an estimated $9 billion in 2018 to employees clicking on phishing emails. The findings — discussed in the video at right — reveal that context plays a critical influence in why users click or don’t click on a phishing email. The more the perspective of the message seems relevant to a person’s life, interests or job responsibilities, the more difficult it is for them to recognize it as a phishing attack.
Organizations can improve their defensive strategies by considering the team’s broader findings, which are based on more than four years of data gathered by the NIST team in a real-world work environment. By investigating not just which deceptive emails led some employees to click, but the reasons why they clicked, the NIST team found that employees are more likely to click on links and attachments when the basis of the email matches their work responsibilities. Surprisingly, rather than mindlessly clicking on emails, these users were worried about failing to be responsive to their job duties.
Punitive measures (such as suspension or even firing) against conscientious employees who fall for scams is not the best approach, a NIST human factor specialist said. Instead, cybersecurity officials should treat users as partners – not the enemy – in the fight against phishing scams. Through better training, organizations should try to build an organization of savvy users. Because in the same research, NIST found that more observant employees recognized that certain elements in the phishing emails were suspicious, such as misspelled web addresses, and were leery of the consequences of downloading malware. One employee from the study was immediately mistrustful when he noticed a phishing email contained an invoice attachment because he didn’t handle financial transactions in his position.
Early reporting had a profound effect on an organization’s ability to recover from phishing attacks. NIST found that organizations that had an easy and responsive method for employees to report phishing attempts were much more successful at stopping the phishing emails from spreading throughout its networks and were able to minimize damage.
NIST further recommends that organizations should analyze their own data on click rates and reporting rates, they can then use this information to improve both user training and the electronic filters in their networks that struggle to identify the evolving ways attackers use phishing emails.
A new article in IEEE Computer written by the research team offers a complete set of recommendations for CIOs and cybersecurity officials, and a paper forthcoming from a *presentation at this year’s USEC conference provides details on the research methods and results.
*Usable Security (USEC) events bring together security and usability experts from around the world to discuss recent advances and new perspectives on research in human factors in security and privacy. Workshops include researchers from different areas of computer science such as security, cryptography, visualization, artificial intelligence and machine learning as well as researchers from other domains such as psychology, social science, and economics. USEC events are sponsored by the Network and Distributed System Security Symposium (NDSS) which fosters information exchange among researchers and practitioners of network and distributed system security.