Black Hat is a conference held in the US each year, dedicated to the latest research, developments and trends in information security. Phishing scams were thus always going to be discussed – a task which fell upon Burnett.
She explained to the audience that everyone, even those distinguished in the digital field, were vulnerable to phishing attacks. They just looked too real these days. That, and our brains gave us a slight disadvantage.
According to Burnett, Daniel Kahneman made a crucial statement in his book Thinking, Fast and Slow. It seems the human brain has two modes of thinking. “System one,” she cites Kahneman as saying, “is the brain’s fast, automatic, intuitive approach”. System two, on the other hand, “is a slower, analytical mode, where reason dominates.”
When your role requires you to rummage through or receive a high volume of emails though, it’s not feasible to have your system two hat on all the time. That’s the crux of the problem, because phishing scams require human input and error.
“Phishing training at the moment is focused on getting people to look at URLs or hover over links, which require system two methods of thinking, not system one,” Burnett said.
“Such training is only useful once somebody is already suspicious of an email, not beforehand. You can’t train somebody’s system one to think an email is suspicious when it looks exactly like every other email they’ve received.”
Here is her presentation in full:
Another disadvantage sometimes comes in the form of overconfidence – even a brief course had people think they were pros at spotting fraudulent email. The revelation came off the back of PhishMe research, which analysed 52m fraud simulations conducted by companies from 2015 to 2017, in addition to real attacks that took place between January and August.
While it found that several pushes for staff to flag words like “delivery issue” or “urgent order” helped matters, they forgot the pace in which scams evolved, dredging up the need for greater awareness in the workplace.
Indeed, the PhishMe research highlights why employees are so successfully targeted – that hackers switched from a corporate focus to a commercial one.
“As Internet behaviour changes, so do cyber attacks,” PhishMe said. “In previous years, we reported that fear, urgency and curiosity were the top emotional motivators behind successful phishes. Now they’re closer to the bottom, replaced by our need for entertainment and social media.
“Employees will always get distracted or take a break to do personal business online, so you can expect work and home email to blur. Personal devices in the workplace often have multiple email accounts in order to sustain morale, communication and collaboration, among other reasons.
“At a high level, the issue is how consumers/employees get their news and interact. Many news and social feeds are subscription based; they’re common in email and mobile device alerts. This explains the rise in phishing attacks via social media links and fake news sites. Because they’re accustomed to them, people think it’s safe to click.”
The best way to prevent attacks is to increase awareness among staff, not only in keywords, but that emotional reactions could see them click on supposed non-conspicuous looking emails.
“Train employees to be less gullible,” PhishMe said. “It’s the best way to combat that knee-jerk response: teach people to be aware of their emotional reactions to emails and see them as phishing triggers. You can be sure attackers are paying attention.”