Your phishing reporting loop could be broken

by Egress
Published on 24th Oct 2022

Recognizing and reporting phishing was one of the key behaviors promoted during Cybersecurity Awareness Month (CAM).

Some of CAM's tips designed to help people identify a phishing attack include asking questions such as "Is it poorly crafted writing riddled with misspellings and bad grammar?" and "Is the greeting ambiguous or very generic?"

However, despite this well-meaning advice, identifying and reporting a phishing attempt isn't as simple as it may seem. Phishing attempts are becoming increasingly complex, and many employees still fail to recognize what a phishing attack looks like. 

Phishing emails are becoming more convincing

Phishing attacks are constantly evolving to become more convincing, and attackers are getting better at figuring out exactly how to get past companies' enhanced security defenses. 

According to a report published by Microsoft Defender Threat Intelligence in August 2021, there are a few key ways that email-based attackers are becoming more convincing. These include:

  • Brand impersonation using HTML tables to imitate logos and branding of trusted organizations.
  • Text padding with invisible ​​Unicode characters to bypass detection and automated security analysis.
  • Zero-point font obfuscation involves inserting hidden words with a font size of zero into the email’s body to throw off automated machine-learning detections.
  • Victim-specific Uniform Resource Identifier (URI) is designed to personalize website content seen by the intended victim to improve the success of spear-phishing attempts. 

These techniques make attacks increasingly difficult to detect or block, leaving many organizations vulnerable to phishing attacks.

The benefits of good phishing reporting

There are many benefits of phishing reporting when it is done well. Telling your employees that they should report potential phishing attempts gives them a sense of empowerment and may make it more likely that they remain on the lookout for potential phishing attempts in the future. It also improves the visibility of threats and makes other users aware of potential issues so they can avoid them. 

Consistent phishing reporting can also significantly enhance the training within the organization by providing a log of common phishing attempts. This can help ensure that everyone in the organization remains updated with recent threats, making it easier to avoid them.

"There are many positives behind reporting phishing as it can add an additional level of security between less tech-savvy employees and security staff," says Jack Chapman, Egress VP of Threat Intelligence. "With that being said, these policies have a large flaw around scalability. It becomes very hard quite quickly for a small security team to be checking all reported emails to ensure they're safe before interactions commence." 

As a result, the reporting loop many organizations rely on to fight phishing can become broken and can lead to even more problems. 

Many organizations still do not have a clear reporting policy in place

If an organization does not have a clear reporting policy in place for suspected phishing attempts, employees are left feeling uncertain about what they should do if they find one. This uncertainty leads to increased risk. 

For instance, some employees will simply delete the email and continue with their day. Others might want to report it to the organization's security team but may be unsure through which channel they should report it and what they should do after they've reported it. Some employees will decide not to report the email because they are concerned that they might get into trouble if they've already interacted with the phishing attempt. 

Once organizations have put a solid policy in place, they must give employees feedback after they have reported suspected phishing attempts. 

Suppose an employee decides to report a suspected phishing attempt and receives no feedback from the security team or that feedback takes a long time to receive. In that case, the employee may disengage from reporting similar threats in the future because they feel as if it is not making an impact. This can lead to phishing attempts going undetected within the organization. 

Users only correctly identify 10% of phishing attempts

To make matters worse, many solutions designed to detect advanced phishing attacks are gradually re-trained to start looking for spam over time. This is because many employees confuse phishing attempts with spam, which causes them to miss actual phishing attempts and report non-phishing attempts. 

This incorrect feedback can influence the models and accidentally 'poison' the data of security products that rely on feedback loops. 

"In terms of anti-phishing products and detection, user feedback often doesn't provide much use when it is fed directly back into detection," says Chapman. "This is because, on average, users correctly identify 1 in 10 phishing attempts and often mistake spam to be phishing."

He continues, "If these individuals are controlling detection, very quickly, your product becomes an anti-spam detector instead of a product created to identify those sophisticated attacks."

Inbound phishing attacks are becoming more sophisticated every month. Learn how Egress Defend uses a combination of intelligent technologies to stop advanced phishing attacks.