IRONSCALES warns phishing training alone ineffective
IRONSCALES, the automated phishing prevention, detection and response platform, has warned that simulated training is proving ineffective on its own in the fight against phishing. Analysing its internal data collected from over 7,000 simulated email phishing campaigns, it confirmed that less than 10% of employees, duped by a phishing message sent as part of a training exercise, went on to initiate the accompanying training session. Other ‘phished’ employees had to be consistently reminded to attend the virtual exercise.
Against this inertia IRONSCALES’ further analysis of its data, including results shared by potential clients unhappy with their current phishing awareness and training vendors, revealed that click rates, having decreased after the initial benchmark phishing awareness training campaign concluded, in less than twelve months were back to the same pre-campaign level or in some cases even higher.
In some organisations, this was found to be as high as half the workforce failing to correctly identify a phishing message landing in their inbox.
Adding context to these findings, Eyal Benishti – founder and CEO of IRONSCALES, explains, “While some may claim that security awareness training offers significant return on investment, that simply isn’t true. In fact, often when the workforce is aware that a phishing awareness training program is being initiated, everyone is extra vigilant to avoid being identified as a weak link, creating a false result.
As soon as the training is thought to have concluded, normal activity resumes and we see click rates rocket. Some may claim that there is correlation between the amount of training modules and simulations presented and the click rate degradation but our analysis found this not to be the case.”
Phishing remains one of the most prevalent attack vectors used by cybercriminals, and it continues to become increasingly sophisticated. Spoofing and impersonation techniques are a quick and easy way for fraudsters to lure victims into a false sense of security and, as is seen regularly, their techniques are often almost impossible for even the most proficiently trained eye to spot.
With 239 billion emails sent worldwide each day, humans are simply no match for the frequency and sheer variety of bogus and malicious messages they face. Eyal continues, “While there is value in employees having a level of phishing knowledge, we must be realistic about the long term effectiveness of computer based training modules. With just 82 seconds between a phishing email being received and the first user interacting with the rogue message organisations are all too often on the back foot in identifying and deflecting a phishing attack.”
In a separate evaluation of phishing data, collected from 500,000 mailboxes at more than 100 organisations located across Africa, Europe, Middle East and North America, IRONSCALES identified over 8,500 verified phishing email attacks that had bypassed spam filters and other gateway solutions to be delivered into end users’ mailboxes.
Eyal adds, “Phishing messages continue to evade even the most sophisticated detection because, all too often, email security focuses on the gateway utilising content filtering, signatures and even the more advanced behavioural based solutions out there. The failure is evident as, every day, these solutions allow malicious emails to slip past to land in mailboxes.
For example, Dark Reading reports that between the months of September and early October 2017, Microsoft Office 365’s email security client missed more than 34,000 malicious phishing emails, almost 10% of the total emails studied. With millions of Office 365 users worldwide, this lapse in security is sure to have caused some businesses a headache or two.
From the users’ perspective, it is virtually impossible to identify every phishing email that lands in inboxes across the workforce. Unaware or preoccupied users, even those actively engaged in an awareness training program, could inadvertently detonate the malware contained or respond to the fraudulent message, giving away confidential information. Organisations must work to help end users in their workforce spot phishing attacks that arrive into their inbox, before they become a problem.”
IRONSCALES believes that, to turn the table on phishers, focus must move down the stack to the recipients inbox. By employing mailbox level detection that tracks user behaviour analysis, based on both content and context to build a picture of what is deemed normal behaviour, anomalies in communications can be spotted and automatically flagged as suspicious.
In tandem, a mechanism needs to be in place for employees that do spot something amiss in a message to report their findings via in-mail visual alerts. Together this allows quick reporting via an augmented email experience, helping the user make better decisions that ultimately helps protect the enterprise.