Look to human nature for continued success of phishing attacks

Hackers stick with a weapon they know works—and get better at using it

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Some­times, peo­ple get tired of hear­ing the same old advice—but they need to hear it again, any­way. Eat health­i­er. Exer­cise more. Spend less. And …


I know, I know, you would nev­er do that. But you’ll be stunned to find out how many peo­ple do. In fact, that’s the big les­son from Verizon’s annu­al Data Breach Inves­ti­ga­tions Report. We’ll get to that in a moment. But, first, let me dis­cuss human nature—because that’s what we’re real­ly talk­ing about here.

I’d have a real­ly tough time pitch­ing a sto­ry to an edi­tor about phish­ing. That sto­ry is so 1999. And yet, there’s a rea­son your inbox and mine are still full of notes claim­ing to be from banks that need your account num­ber and pass­word. Phish­ing works.

And it doesn’t only work on you. It works on big orga­ni­za­tions. Like hos­pi­tals. There are mul­ti­ple reports that the dra­mat­ic ran­somware attacks suf­fered recent­ly by health care providers—you know, the ones that reduced hos­pi­tals to sched­ul­ing surg­eries with pen­cil and paper—began with suc­cess­ful phish­ing emails. Yes, employ­ees click on emails, and they click on attach­ments, and hack­ers are off to the races.

Urge to click hard to resist

Why does this keep hap­pen­ing? Human nature is pret­ty tough to over­come. Think back to one of the orig­i­nal glob­al virus epi­demics—the Love Bug. It worked for one rea­son: Who doesn’t want to get a love letter?

Tech­niques have only improved since then. Today, hack­ers can hand-craft phish­ing emails with per­son­al details, such as “Our boss Rick real­ly needs you to open this file for him.”

The oth­er rea­son phish­ing works is bor­rowed from the band Pink Floyd—the Momen­tary Lapse of Rea­son. You can have your guard up 23 hours and 59 min­utes a day (I hope you aren’t read­ing email that much), but all it takes is one slip, and down the hole the hack­ers go. We all get dis­tract­ed and do dumb things. We are all vul­ner­a­ble some of the time. Hack­ers have 24 hours every day to attack.

Hack­ers hone technique

And so, phish­ing works. In fact, Ver­i­zon seems to think it actu­al­ly worked “bet­ter” last year than the year before. In the dataset Ver­i­zon stud­ied, 30 per­cent of phish­ing mes­sages were opened—compared to 23 per­cent the year before. And 12 per­cent of the time last year, recip­i­ents went on to click a mali­cious attach­ment or link, enabling the attack to suc­ceed. (Last year, it was 11 percent).

Ever more alarm­ing, on aver­age, it took few­er than 4 min­utes for tar­get­ed recip­i­ents to open a phish­ing email and click on a mali­cious link. Hack­ers get to work quickly.

It’s impor­tant to know that the attacks that tar­get­ed hos­pi­tals and oth­er orga­ni­za­tions are not your father’s phish­ing. These bad guys aren’t try­ing to direct vic­tims to a web­site and trick them into enter­ing cre­den­tials or account num­bers. They sim­ply want to exe­cute rogue code on the victim’s com­put­er through an exploit, so they can have their way with the tar­get network—install ran­somware, for example.

In the old attack, vic­tims had a third moment to pause and con­sid­er the grav­i­ty of their actions (open the email, click on link, enter data). New phish­ing emails only offer two such moments, and they are much more pas­sive. That makes phish­ing more dangerous.

And that’s part­ly why ran­somware made the biggest jump in Verizon’s list of most com­mon attacks.

Mes­sage not hit­ting home

Email users still aren’t get­ting the mes­sage. As Verizon’s report puts it: “Appar­ent­ly, the com­mu­ni­ca­tion between the crim­i­nal and the vic­tim is much more effec­tive than the com­mu­ni­ca­tion between employ­ees and secu­ri­ty staff.”

So what can you do? Don’t be afraid to give—or receive—old warn­ings about diet, exer­cise and phish­ing. If you are too smart for all this, endure the train­ing for the sake of your col­leagues, and your orga­ni­za­tion. Some­one on your team—probably sev­er­al someones—has clicked on a phish­ing email recent­ly. The data you save may be your own.

In addi­tion to train­ing, orga­ni­za­tions can help them­selves by fil­ter­ing out phish­ing emails so they nev­er get to employ­ees in the first place. And per­haps most crit­i­cal­ly, they should care­ful­ly seg­ment net­works so when human nature strikes, the dam­age is limited.

More sto­ries relat­ed to phishing:
How orga­ni­za­tions can avoid get­ting hooked by phish­ing scams
Sophis­ti­cat­ed spear phish­ing attacks becom­ing more common
Cyber crim­i­nals go spear phish­ing, har­poon executives

Posted in Data Security, News & Analysis