If you think educating them about ways to detect suspicious emails is the only answer, think again
About 15 years ago, Phishing went from a virtually unknown phenomenon to a daily media topic. With new users entering the internet and the commercialization of the internet starting seriously, many opportunities have emerged for phishers, who are going through someone else or entity to deceive email users. As a result, in the absence of technological protections, phishing emails suddenly appeared on everyone's postcards. In practice, the only defense was the council offered by security experts: beware of poorly written emails; And do not click on the email links.
Over the years, the sophistication of attacks has constantly increased, and the number of fraudulent email varieties has increased rapidly, with attack strategies such as passing colleagues (so -called corporate email commitment) increases dramatically. Increased sophistication has resulted in more profits, leading more criminals to try their luck in this type of fraud.
Corporations and other organizations continue to believe they can train their users to avoid cyber attacks. Gartner estimates that the safety awareness training market will grow at an annual growth rate of 42% up to at least 2023, with a $ 451 million base base.
But nowadays the traditional emphasis on user education is an expense and a discomfort for the end user that may not be justifiable by the results. As online fraud techniques proliferate and become more sophisticated, it is becoming increasingly difficult for the user to detect fraud. The return on investment in any security awareness effort has dropped dramatically.
User awareness should no longer be the main defense against social engineering. In fact, cyber crime technology has evolved to the point that it can only be reliably defeated with the opposite technology. Humans without help are no longer able to defend themselves adequately against cybercrime, as well as arc fighters and arrows cannot defeat enemies armed with attack helicopters.
Most defenses are more suitable for algorithms than for end users. Instead, safety professionals and risk management should educate end users only about threats that may reasonably detect, while using technical defenses for the vast majority of attacks.
At first, “traditional” phishing attacks were efficiently reported around the order of 3%, which means that the vast majority of intended victims did not fall into the attacks. On the other hand, it is known that sophisticated attacks, such as spear phishing, have efficiency greater than 70%.
Well -elaborated phishing emails (as well as other types of misleading emails) are very difficult to identify by ordinary users.
Some types of attacks are almost impossible to identify, even for highly technical users. Consider, for example, an attack in which the invader has already had access to a legitimate email account (deceiving its owner) and use this compromised account to attack the user contacts.
Other attacks, such as those who use names and addresses forged to pass a colleague of the victim, are easier to identify, at least in theory. Always inspecting the sender's email address and making sure this is a known user, it is possible to avoid falling into such attacks. However, increased care has a price: for each extra step added to routine tasks, our productivity naturally falls.
In addition, these attacks are difficult to detect in practice due to human errors: many people, at least occasionally, accidentally email personal accounts instead of professional accounts and vice versa, creating ambiguity about what is reliable and not reliable. As a result, 1 in 10 users click on emails with fraudulent display names, according to the Barracuda Security Company report.
Given finite budgets, both financially and attention, companies and individuals should decide which awareness battles choose, based on what people face and what types of automated counterfeit work work well. Take, for example, the advice "looks too good to be true, probably is" - just as the variant "looks too bad to be true, probably is." People have emotions and judgment to warn them when something falls into this category; But so far, computers do not have. Consequently, this is something worthy of a awareness campaign.
On the other hand, the use of forged names and addresses is relatively difficult for people to detect, but it is easy for computers to detect. This is a problem where automated defenses are more appropriate than awareness efforts.
For both digital health and human health, the relative influence of behavior versus technology is the same. Since the time they are young children, humans are taught to avoid risks to their safety: do not eat dirt, do not cross the street without looking both sides, does not smoke. But the great gains in life expectancy achieved over the last century have become mainly the advances in medical technology to combat disease.
The recipe is also the same: for human health, take care and avoid common risks, but if necessary, look for a good doctor and correctly take the medicines. For electronic health, teach your users the basic digital care, but also commit to always being one step ahead of the enemy in this inevitable technological dispute.
For human health, take care and avoid common risks, but if necessary, look for a good doctor and correctly take the medicines. For electronic health, teach your users the basic digital care, but also commit to always being one step ahead of the enemy in this inevitable technological dispute
Source: https://blogs.scientificamerican.com/observations/how-to-protect-people-against-fishing-and-her-scams/
PHISING SAFETY AND PROTECTION TECHNOLOGY
It is important to use antivirus on the computer. In the case of companies, it is increasingly relevant to also use systems such as firewall and internet access control applied throughout the company's network, regardless of the devices connected to the internal network. This adds a complementary safety layer, which reduces the risk of leakage and loss of information from the company and data from customers and employees, avoiding large inconvenience and financial losses. Through an Internet access control solution , you can also define which site category can be accessed by each user, avoiding waste with work scope and also access to addresses with harmful content. Through this tool, the manager protects the network against sites used in phishing, malware and ransomware .
In the video below we demonstrate the operation of an email phishing, which is passed by the PagSeguro payment service to steal the victim's access data. First is demonstrated access to the non -protective phishing site. Then an attempt is demonstrated to access the phishing site but with the protection of Lumiun active in the company's network.
In this way, the video has a comparison of the effectiveness of a phishing attack on a unprotected network and one with safety and protection technology.
2 comments
Comments closed