by Brad Fraser

Laura Bishop, Director of Human Risk Science, OutThink

Cybercriminals have been utilising emails to phish their victims for 30 years without notable reductions in breaches.

Current success barriers for both educational and ‘in-the-wild’ phishing interventions are being discussed, alongside solutions indicative of OutThink, that work to overcome these challenges.

• Humans make around 95% of decisions intuitively, yet training solutions focus on employees processing emailsconsciously. Whilst education is important, so is providing alternative cognitive strategies for employees to habitually use. Supporting 100% of decision-making.

• Awareness training must consider motivational and social factors, as well as standard competency training. Employees need to not only have the required skills to protect themselves and their organisation but feel motivated and supported to put those skills into action.

• Awareness training platforms must supply metrics that allow organisations to drill down to key risk areas at the individual, group and organisation level. Targeting those most at risk and key risk areas, whilst considering any limitations to organisation time and budget.

• The primary focus of phishing simulation tools should be to provide ‘in-the-wild’ education, post awareness training. Simulations should offer further embedded education that supports habitual phishing detection whilst reporting on current organisational risk hotspots.

• Phishing simulation tools should offer a range of highly targeted email templates that can support an organisation’s phishing risk strategy. Simulations sent to employees should be focused around current organisational risk areas as well as key phishing trends.

• Employees often experience feelings of anger and victimisation after a simulation. Organisations and simulation tools should consider employees active researchers helping highlight current areas of risk, encouraging them to feedback information optimising future simulations.

  
  

Consider these techniques in relation to phishing emails:

Authority is utilised by positioning the sender as an expert or someone of power e.g., the CEO of an organisation, or a company displaying numerous accolades and accreditations.

_________________________________________________________________________

• Reciprocation could be triggered in an email by the offer of a ‘free gift’ or ‘discount’ alongside a suggestion that the recipient click on a link to complete a survey.

_________________________________________________________________________

• Commitment and consistency will often be used by identifying the recipient as a customer, reader or someone who has previously donated to a worthy cause in the hope that they will feel inclined to respond with interest again.

_________________________________________________________________________

• Social proof could be a statement such as ‘80% of your colleagues have already completed the survey – please followthe link below’, thus providing a social basis for fast-tracking decision-making.

_________________________________________________________________________

• Similarity and liking attempts to build rapport, offer praise or suggest a common interest.

_________________________________________________________________________

• Scarcity can be presented in phishing emails via terms such as ‘for a limited time only’ or ‘exclusive deal,’ to encourage a quick response.

_________________________________________________________________________

• Curiosity exploits the human need to fill gaps in knowledge and can feature as a simple link or part of a story with a need to click outside of the email to learn more.

____________________________________________________________________________________

These weapons of influence can be laced into phishing emails – often in combination – to promote heuristic decision-making and detract from its ingenuity. Once cybercriminals have initiated intuitive decision-making in the recipient, they will then suggest an action to undertake. Feeling confident the person will tune in to previously acquired heuristics and follow suit.

References:

Verizon. (2021). 2019 Data Breach Investigations Report. www.verizon.com/business/resources/reports/dbir.

https://outthink.io/human-risk/