If you think educating them on how to detect suspicious emails is the only answer, think again
About 15 years ago, phishing went from a virtually unknown phenomenon to an everyday media topic. With new users joining the internet and the commercialization of the internet beginning in earnest, many opportunities arose for phishers, who impersonate another person or entity to deceive email users. As a result, in the absence of technological protections, phishing emails suddenly appeared in everyone's inboxes. In practice, the only defense was the advice offered by security experts: beware of poorly written emails; and don't click on links in emails.
Over the years, the sophistication of attacks has steadily increased, and the number of types of fraudulent emails has grown rapidly, with attack strategies such as impersonating colleagues (so-called corporate email compromise) increasing dramatically. This increased sophistication has resulted in greater profits, leading more criminals to try their luck with this type of fraud.
Corporations and other organizations continue to believe they can train their users to avoid cyberattacks. Gartner estimates that the security awareness training market will grow at a compound annual growth rate of 42% through at least 2023, from a 2018 base of $451 million.
But nowadays, the traditional emphasis on user education is an expense and a nuisance for the end user that may not be justified by the results. As online fraud techniques proliferate and become more sophisticated, it becomes increasingly difficult for the user to detect fraud. The return on investment in any security awareness effort has fallen dramatically.
User awareness should no longer be the primary defense against social engineering. In fact, cybercrime technology has evolved to such an extent that it can only be reliably defeated with opposing technology. Unaided humans are no longer able to adequately defend themselves against cybercrime, just as fighters with bows and arrows cannot defeat enemies armed with attack helicopters.
Most defenses are better suited for algorithms than for end users. Instead, security and risk management professionals should educate end users only about threats they can reasonably detect, while using technical defenses for the vast majority of attacks.
Initially, "traditional" phishing attacks were reported to have an efficiency rate of around 3%, meaning that the vast majority of intended victims did not fall for the attacks. On the other hand, sophisticated attacks, such as spear phishing, are known to have an efficiency rate exceeding 70%.
Well-crafted phishing emails (as well as other types of deceptive emails) are very difficult for ordinary users to identify.
Some types of attacks are nearly impossible to identify, even for highly technical users. Consider, for example, an attack in which the attacker has already gained access to a legitimate email account (by deceiving its owner) and uses that compromised account to attack the user's contacts.
Other attacks, such as those that use forged names and addresses to impersonate a colleague of the victim, are easier to identify, at least in theory. By always inspecting the sender's email address and ensuring that it is a known user, it is possible to avoid falling victim to such attacks. However, increased caution comes at a price: for each extra step added to routine tasks, our productivity naturally decreases.
Furthermore, these attacks are difficult to detect in practice due to human error: many people, at least occasionally, accidentally send emails from personal accounts instead of professional accounts and vice versa, creating ambiguity about what is trustworthy and what is not. As a result, 1 in 10 users clicks on emails with fraudulent display names, according to a report by the security company Barracuda.
Given finite budgets, both in terms of finances and attention, companies and individuals must decide which awareness battles to choose, based on what people face and what types of automated countermeasures work well. Take, for example, the advice “if it seems too good to be true, it probably is” – as well as the variant “if it seems too bad to be true, it probably is.” People have emotions and judgment to warn them when something falls into this category; but, so far, computers do not. Consequently, this is something worthy of an awareness campaign.
On the other hand, the use of forged names and addresses is relatively difficult for people to detect, but easy for computers to detect. This is a problem where automated defenses are more suitable than awareness efforts.
For both digital health and human health, the relative influence of behavior versus technology is the same. From the time they are young children, humans are taught to avoid risks to their safety: don't eat dirt, don't cross the street without looking both ways, don't smoke. But the great gains in life expectancy achieved over the last century have come mainly from advances in medical technology to combat diseases.
The recipe is also the same: for human health, take care of yourself and avoid common risks, but if necessary, seek a good doctor and take your medication correctly. For e-health, teach your users basic digital safety, but also commit to always staying one step ahead of the enemy in this inevitable technological battle.
For human health, take care of yourself and avoid common risks, but if necessary, seek a good doctor and take your medication correctly. For e-health, teach your users basic digital care, but also commit to always staying one step ahead of the enemy in this inevitable technological battle
Source: https://blogs.scientificamerican.com/observations/how-to-protect-people-against-phishing-and-other-scams/
Technology for security and protection against phishing
It's important to use antivirus software on your computer. For businesses, it's increasingly relevant to also use systems like firewalls and internet access control applied across the entire company network, regardless of the devices connected to the internal network. This measure adds a complementary layer of security, reducing the risk of leaks and loss of company information and customer and employee data, preventing major disruptions and financial losses. Through an internet access control solution , it's also possible to define which categories of websites each user can access, avoiding wasted time browsing outside the scope of work and accessing websites with harmful content. Using this tool, the manager protects the network against websites used in phishing attacks, malware propagation, and ransomware .
In the video below, we demonstrate how a phishing email, impersonating the PagSeguro payment service, works in order to steal the victim's login data. First, we show access to the phishing site without protection. Then, we show an attempt to access the phishing site with Lumiun active on the company's network.
In this way, the video presents a comparison of the effectiveness of a phishing attack on an unprotected network and another with security and protection technology.
2 comments
Comments closed