Why do employees keep falling for phishing email scams? As discussed in a recent SC Media 20/20 webcast, sponsored by EdgeWave, malware and phishing scams have been around since the 80s and with all of today’s security technology, one would think we’ve learned how to stop that.

Risks from email and phishing scams

Targeted, socially engineered phishing scams carry with them a variety of dangerous payloads. They can deliver malware via bad links, they can spoof employees into giving them access to private personnel data or financial accounts. And with Ransomware, they can blackmail entire companies and cities with the threat to–once embedded within the network–shut down systems and steal data unless they are paid. These attacks are getting more and more frequent and sophisticated. The cost of these attacks can easily exceed $1M for many organizations. What’s more, fighting these can require educating all employees with cybersecurity awareness training, which can itself cost significant dollars and lost productivity. The ultimate damage is to the brand of the company or organization that has been violated as it has lost the trust of its employees and customers, which can severely damage their overall enterprise value.

Why do employees keep taking the bait?

A common denominator for many risk scenarios is the human factor—the ability of mal-intended actors to target and spoof our human users/employees across business networks has never been more dangerous.

Employees as humans are now trained to act quickly in our digitally transformed world. Our “pacing” when evaluating digital communications like email, messaging, social media is almost without thought—it’s rote response. See a link, click the link, or open the attachment. Security awareness training seeks to create pause and discernment with users, yet we are moving so fast and sifting through so much on a daily basis, that pause can be missing depending on human factors such as rushed projects, stress, fatigue, etc. Unless they see undeniable risk, they may just click on it to move on to their next communication just to feel more productive.

Additionally, current events increase user susceptibility for phishing. Attackers develop event-specific phishing email campaigns because they believe people are less vigilant about clicking emails and attachments from unknown senders when it relates to something of personal interest. As reported in Dark Reading, sports fans have fallen for recent phishing scams related to the 2018 FIFA World Cup.1 Email recipients were provided with a seemingly informative email that offered a World Cup schedule and results checker. Dubbed “Wallchart”, the email contained an attachment that if downloaded is used to install potentially unwanted programs including toolbars, adware, and system optimizers.

What can IT do to improve user’s security at the endpoint?

IT pros can assess their current exposure to spam/phishing via detailed review from email security dashboards or logs from integrated SIEM tools; then modify policies and update settings for their email gateway filters to maximize a spam catch rate and reduce the number of malicious emails that employees get. But, however well-optimized their gateway solution is, targeted phishing attacks also require an increased vigilance at the endpoint for situations when highly sophisticated attacks evade gateway email security. Providing reoccurring security awareness training is a costly, but somewhat effective solution to teach employees how not to be phished. The key is to train often and ensure your training scenarios are current to help teach about the latest threats. What’s most needed are tools in the inbox that can either automatically detect one-to-one attack modalities, or enable user services that provide instant deep reviews into possible threat emails that make it past gateway defenses. Providing employee-based email reporting tools provides an out for employees when reviewing their emails so they don’t waste minutes personally analyzing message header information, subject line, and body content before deciding what to do. With employee-based email tools, suspicious emails are instantly sent to security analysts any for deep review before rendering a verdict and deleting the message if considered risky or malicious. These inbox tools give users the most control over anything that looks “phishy” and can enable them to help the organization provide a more united defense. And throughout the process, it reinforces security awareness training and serves as a simple reminder for them to take their time when reviewing emails — slowing their pace is actually warranted in this case.