If you think educating them on ways to spot suspicious emails is the only answer, think again
About 15 years ago, phishing went from a virtually unknown phenomenon to an everyday media topic. With new users coming onto the Internet and the commercialization of the Internet beginning in earnest, many opportunities have arisen for phishers, who impersonate another person or entity to deceive email users. As a result, in the absence of technological protections, phishing emails suddenly appeared in everyone's mailboxes. In practice, the only defense was the advice offered by security experts: beware of poorly written emails; and do not click on links in emails.
Over the years, the sophistication of attacks has steadily increased, and the number of varieties of fraudulent emails has increased rapidly, with attack strategies such as impersonating colleagues (so-called corporate email compromise) increasing dramatically. Increased sophistication has resulted in more profits, leading more criminals to try their luck in this type of fraud.
Corporations and other organizations continue to believe they can train their users to avoid cyberattacks. Gartner estimates that the security awareness training market will grow at a compound annual growth rate of 42% through at least 2023, with a 2018 base of $451 million.
But today the traditional emphasis on user education is an expense and inconvenience to the end user that may not be justifiable by the results. As online fraud techniques proliferate and become more sophisticated, it becomes increasingly difficult for users to detect fraud. The return on investment on any security awareness effort has dropped dramatically.
User awareness should no longer be the main defense against social engineering. In fact, cybercrime technology has evolved to the point that it can only be reliably defeated with the opposite technology. Unaided humans are no longer able to adequately defend themselves against cybercrime, just as fighters with bows and arrows cannot defeat enemies armed with attack helicopters.
Most defenses are better suited to algorithms than end users. Instead, security and risk management professionals should educate end users only about those threats they can reasonably detect, while using technical defenses for the vast majority of attacks.
In the beginning, “traditional” phishing attacks were reported to be on the order of 3% effective, meaning that the vast majority of intended victims did not fall for the attacks. On the other hand, it is known that sophisticated attacks, such as spear phishing, are more than 70% efficient.
Well-crafted phishing emails (as well as other types of deceptive emails) are very difficult for ordinary users to identify.
Some types of attacks are nearly impossible to identify, even for highly technical users. Consider, for example, an attack in which the attacker has already gained access to a legitimate email account (by tricking its owner) and uses that compromised account to attack the user's contacts.
Other attacks, such as those that use forged names and addresses to pose as a colleague of the victim, are easier to identify, at least in theory. By always inspecting the sender's email address and making sure that this is a known user, it is possible to avoid falling prey to such attacks. However, increased care comes at a price: for every extra step added to routine tasks, our productivity naturally drops.
Furthermore, these attacks are difficult to detect in practice due to human error: many people, at least occasionally, accidentally send emails from personal accounts rather than work accounts and vice versa, creating ambiguity about what is trustworthy and what is which is not reliable. As a result, 1 in 10 users clicks on emails with fraudulent display names, according to a report from security company Barracuda.
Given finite budgets, both in terms of money and attention, companies and individuals must decide which awareness battles to choose, based on what people face and what types of automated countermeasures work well. Take, for example, the advice “if it seems too good to be true, it probably is” – as well as the variant “if it seems too bad to be true, it probably is”. People have emotions and judgment to let them know when something falls into this category; but, so far, computers haven't. Consequently, this is something worthy of an awareness campaign.
On the other hand, the use of forged names and addresses is relatively difficult for people to detect, but easy for computers to detect. This is an issue where automated defenses are better suited than awareness efforts.
For both digital health and human health, the relative influence of behavior versus technology is the same. From the time they are small children, humans are taught to avoid risks to their safety: don't eat dirt, don't cross the street without looking both ways, don't smoke. But the big gains in life expectancy achieved over the last century have come primarily from advances in medical technology to combat disease.
The recipe is also the same: for human health, take care of yourself and avoid common risks, but, if necessary, seek a good doctor and take your medicine correctly. For e-health, teach your users basic digital care, but also commit to always being one step ahead of the enemy in this inevitable technological fight.
For human health, take care of yourself and avoid common risks, but, if necessary, seek a good doctor and take your medicine correctly. For e-health, teach your users basic digital care, but also commit to always being one step ahead of the enemy in this inevitable technological fight
Source: https://blogs.scientificamerican.com/observations/how-to-protect-people-against-phishing-and-other-scams/
Technology for security and phishing protection
It is important to use antivirus on your computer. In the case of companies, it is increasingly important to also use systems such as firewall and internet access control applied throughout the company's network, regardless of the devices connected to the internal network. This measure adds a complementary layer of security, which reduces the risk of leakage and loss of company information and customer and employee data, avoiding major inconvenience and financial losses. Through an internet access control solution , it is also possible to define which category of website can be accessed by each user, avoiding waste with navigation outside the scope of work and also access to addresses with harmful content. Using this tool, the manager protects the network against websites used in phishing attacks, the spread of malware and ransomware .
In the video below we demonstrate how phishing received by email works, which pretends to be the PagSeguro payment service with the aim of stealing the victim's access data. First, access to the phishing site without protection is demonstrated. An attempt to access the phishing site is then demonstrated, but with Lumiun active on the company's network.
In this way, the video presents a comparison of the effectiveness of a Phishing attack on an unprotected network and another with security and protection technology.
2 comments
Comments closed