Laura Bishop, Director of Human Risk Science, OutThink

Cybercriminals have been utilising emails to phish their victims for 30 years without notable reductions in breaches.

Current success barriers for both educational and ‘in-the-wild’ phishing interventions are being discussed, alongside solutions indicative of OutThink, that work to overcome these challenges.

  • Humans make around 95% of decisions intuitively, yet training solutions focus on employees processing emailsconsciously. Whilst education is important, so is providing alternative cognitive strategies for employees to habitually use. Supporting 100% of decision-making.
  • Awareness training must consider motivational and social factors, as well as standard competency training. Employees need to not only have the required skills to protect themselves and their organisation but feel motivated and supported to put those skills into action.
  • Awareness training platforms must supply metrics that allow organisations to drill down to key risk areas at the individual, group and organisation levelTargeting those most at risk and key risk areas, whilst considering any limitations to organisation time and budget.
  • The primary focus of phishing simulation tools should be to provide ‘in-the-wild’ education, post awareness trainingSimulations should offer further embedded education that supports habitual phishing detection whilst reporting on current organisational risk hotspots.
  • Phishing simulation tools should offer a range of highly targeted email templates that can support an organisation’s phishing risk strategySimulations sent to employees should be focused around current organisational risk areas as well as key phishing trends.
  • Employees often experience feelings of anger and victimisation after a simulation. Organisations and simulation tools should consider employees active researchers helping highlight current areas of risk, encouraging them tfeedback information optimising future simulations.

Consider these techniques in relation to phishing emails:

___________________________________________________________________________________________________

  • Authority is utilised by positioning the sender as an expert or someone of power e.g., the CEO of an organisation, or a company displaying numerous accolades and accreditations.

_________________________________________________________________________

  • Reciprocation could be triggered in an email by the offer of a ‘free gift’ or ‘discount’ alongside a suggestion that the recipient click on a link to complete a survey.

_________________________________________________________________________

  • Commitment and consistency will often be used by identifying the recipient as a customer, reader or someone who has previously donated to a worthy cause in the hope that they will feel inclined to respond with interest again.

_________________________________________________________________________

  • Social proof could be a statement such as ‘80% of your colleagues have already completed the survey – please followthe link below’, thus providing a social basis for fast-tracking decision-making.

_________________________________________________________________________

  • Similarity and liking attempts to build rapport, offer praise or suggest a common interest.

_________________________________________________________________________

  • Scarcity can be presented in phishing emails via terms such as ‘for a limited time only’ or ‘exclusive deal,’ to encourage a quick response.

_________________________________________________________________________

  • Curiosity exploits the human need to fill gaps in knowledge and can feature as a simple link or part of a story with a need to click outside of the email to learn more.

____________________________________________________________________________________

These weapons of influence can be laced into phishing emails – often in combination – to promote heuristic decision-making and detract from its ingenuity. Once cybercriminals have initiated intuitive decision-making in the recipient, they will then suggest an action to undertake. Feeling confident the person will tune in to previously acquired heuristics and follow suit.

References:

Verizon. (2021). 2019 Data Breach Investigations Report. www.verizon.com/business/resources/reports/dbir.

https://outthink.io/human-risk/

Why Are Cyber Insurance Claims Denied?

Read more

Why a Fractional CISO Could Save Your Business

Read more

Why Every Business Needs a Holistic IT Managed Service 

Read more

Safeguarding Your Business from Email Compromise in Six Easy Steps:

Read more

How to create a cyber placement strategy for 2024

Read more

Selling Cyber – Creating A Kick-ass Sales Process

Read more

Transforming Cyber Insurance: The Infoprotect Revolution

Read more

Why Move to the Cloud ?

Read more

Cybersecurity Insurance

Read more

10 STEPS to CYBER RESILIENCE

Read more

SMALL BUSINESS GUIDE to CYBER SECURITY 

Read more

Take the fight to email impersonators

Read more

Cyber Insurance – MFA and SaaS

Read more

Phishing – Lets Educate & Upskill the users

Read more

Answer yourself truthfully… Can your business afford LAN/WAN downtime?

Read more

Into lockdown & post Brexit: Business as usual for Infoprotect UK.

Read more

The Hidden costs of cybercrime over and above the economic impact.

Read more