Training is not the answer to phishing scams

Security challenges

Phishing is the foremost threat in cyber security and organisations quite rightly want to protect themselves against it. The danger of phishing is the fact it directly targets the ordinary user, bypassing cyber security protections and personnel. 

The limitations of training

Most products marketed to stop phishing will typically involve training users, and in most people’s minds it is based around the idea of sending them fake phishing emails. The solutions offer training information and security teams can find who clicked on the fake emails and may need more training.

Over time, the click rate reduces, which shows an (apparent) improved ability to spot phishing. It seems an elegant solution and indeed is very big business for the industry leader Cofense, which is mandated for compliance reasons in most UK financial institutions.

However, the UK’s National Cyber Security Centre (NCSC) has carried out research that shows after two years of cyber training, people are at the same level of awareness as when they first started. Hardly good value for money if you are running a business and trying to mitigate cyber threats via your staff being aware!

So what are the factors that matter?

An impossible task

First things first. No training package can teach users to spot every phish. Spotting phishing emails is hard. Spotting targeted spear phishing emails is even harder – even the NCSC experts struggle.

However, many standard templates used in the training packages are based on spotting standard signs like checking for poor spelling and grammar. But cybercriminals can spell… and your colleagues can make spelling mistakes. This can give a false sense comfort to the user as they face easy-to-catch phishing emails.

Sometimes, they’ll even misspell words deliberately as a filter.

Real life example

We detected a recent real-life phishing email where scammers were trying to imitate the brand Amazon. The aim is getting users to click a yellow call to action button that will take them to a fake login page where their password credentials will be captured. In the email, some people would notice that they have spelt ‘customers’ and ‘instructions’ incorrectly. Most would assume the scammers are simply uneducated and prone to mistakes. 

However, it’s just as likely that this was a filter to separate those readers who speed read and those who don’t. If you don’t notice this mistake, you’re much more likely to click the link and follow the next set of instructions too. The other purpose of misspelling is to appear so obvious that the users who do notice the mistake decide it’s so obvious that it’s not worth reporting. This allows the phishing page to remain up and active for longer before being noticed by the authorities.

Staying alert

Another big issue is users cannot remain vigilant all the time, even if there were clear signs to look out for. Being aware of the threat from phishers whilst at your desk (where users are probably most aware of the risk) is hard enough.

But phishing can happen anywhere and anytime, and people regularly respond to emails on their phones and tablets outside of core hours. Mobiles restrict the amount of information show because of space issues. This allows the phishers to get way more clicks.

The problem is responding to emails and clicking on links is an integral part of work. Attempting to stop the habit of clicking is not only extremely difficult, but is it what you honestly want? Asking users to stop and consider every email in depth takes its toll on productivity

At Egress we emphasise the importance of developing the detection of phishing so that the threat can be flagged in real time to the user before they click on a phishing email and cause serious damage. 

The lure of metrics

Phishing simulations aren’t just about training. They are also popular because they produce a metric (e.g. ‘Last week 70% of people fell for our phish, this week only 40% fell for it’). It appears really encouraging, since it appears to show that something is being achieved, but unless you’re careful you might just end up wasting time and effort.

Metrics are extremely difficult to come by in the security space, and having a clear, quantitative metric that can show progress, in an area you care about, can be really seductive. But is it really giving you an idea of your company’s defences against the real threats?

The risk of living or dying by this single metric is: what happens when you make the test emails more sophisticated, for example to test spear phishing? This will do terrible things to your click rate. You can get any result you want by adjusting the emails you send out, which is hardly an objective measure of your defences.

And if you are on the receiving end of a metric that shows a vast improvement, you should be asking some very probing questions about how the simulation was designed, because it is likely that the emails are simply too obvious!

The consequences of blaming users

In trying to combat targeted phishing, many organisations try to improve efficiency by blaming and shaming their staff. Some organisations believe that if users are blamed or punished for clicking phishing emails, they will somehow be able to spot them next time around (and if they click again, the answer would be more punishment).

Quite simply, this does not work, and it can also cause a great deal of distress and even distrust between users and security teams. Many large banks try a “three strikes and you are out” approach. Using HR processes and the discipline procedures against users who are employed to be cyber security experts makes no sense. Phishing simulations should never be used as a tool to catch people out.

Think about why you want to do training in the first place. Stopping a user to explain how they should have spotted your fake phish after a rash click seems like a good idea, but if you lock someone’s IT until they complete a lengthy course, you are causing a massive disruption to their working day.

If you shame them to their colleagues, you are destroying their morale and they become less productive. Whatever you do, remember that no training technique will ever get your users to recognise every phish. It’s also essential that you don’t spend your entire budget on training when you need to invest in multiple layers of defence to build a solid defence against phishing.

The future of phishing training

With many businesses moving to the cloud for productivity advantages, including cloud-based email like Office 365 and G-Suite, the threat environment has also changed. Phishers have numerous ways to trick or deceive your users. Most of the attacks involve credential phishing, where the emails are designed to trick users into giving up their Office 365 passwords without realising.

Trying to train users for some of the attacks we see like double-from attacks, calendar attacks, and white space attacks would be impossible. The threat is hidden from the user, and obfuscation is used to fool the defensive scans. Only the very latest Cloud Email Security Supplements (CESS) that were designed to secure the cloud-based email environment can detect these new threats.

Our solution, Egress Defend was shaped and guided by GCHQ. It uses machine learning and natural language processing to catch even sophisticated phishing in real time. Users are then educated in simple terms on why an email was blocked – not after they’ve already fallen for it.

If you are looking for a better way to detect the threat from phishing but keep your users’ awareness high, we’ll be more than happy to set you up with a free demo.