Look to human nature for continued success of phishing attacks

Hackers stick with a weapon they know works—and get better at using it

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Sometimes, people get tired of hearing the same old advice—but they need to hear it again, anyway. Eat healthier. Exercise more. Spend less. And …

DON’T CLICK ON ATTACHMENTS IN EMAILS YOU DON’T EXPECT.

I know, I know, you would never do that. But you’ll be stunned to find out how many people do. In fact, that’s the big lesson from Verizon’s annual Data Breach Investigations Report. We’ll get to that in a moment. But, first, let me discuss human nature—because that’s what we’re really talking about here.

I’d have a really tough time pitching a story to an editor about phishing. That story is so 1999. And yet, there’s a reason your inbox and mine are still full of notes claiming to be from banks that need your account number and password. Phishing works.

And it doesn’t only work on you. It works on big organizations. Like hospitals. There are multiple reports that the dramatic ransomware attacks suffered recently by health care providers—you know, the ones that reduced hospitals to scheduling surgeries with pencil and paper—began with successful phishing emails. Yes, employees click on emails, and they click on attachments, and hackers are off to the races.

Urge to click hard to resist

Why does this keep happening? Human nature is pretty tough to overcome. Think back to one of the original global virus epidemics—the Love Bug. It worked for one reason: Who doesn’t want to get a love letter?

Techniques have only improved since then. Today, hackers can hand-craft phishing emails with personal details, such as “Our boss Rick really needs you to open this file for him.”

The other reason phishing works is borrowed from the band Pink Floyd—the Momentary Lapse of Reason. You can have your guard up 23 hours and 59 minutes a day (I hope you aren’t reading email that much), but all it takes is one slip, and down the hole the hackers go. We all get distracted and do dumb things. We are all vulnerable some of the time. Hackers have 24 hours every day to attack.

Hackers hone technique

And so, phishing works. In fact, Verizon seems to think it actually worked “better” last year than the year before. In the dataset Verizon studied, 30 percent of phishing messages were opened—compared to 23 percent the year before. And 12 percent of the time last year, recipients went on to click a malicious attachment or link, enabling the attack to succeed. (Last year, it was 11 percent).

Ever more alarming, on average, it took fewer than 4 minutes for targeted recipients to open a phishing email and click on a malicious link. Hackers get to work quickly.

It’s important to know that the attacks that targeted hospitals and other organizations are not your father’s phishing. These bad guys aren’t trying to direct victims to a website and trick them into entering credentials or account numbers. They simply want to execute rogue code on the victim’s computer through an exploit, so they can have their way with the target network—install ransomware, for example.

In the old attack, victims had a third moment to pause and consider the gravity of their actions (open the email, click on link, enter data). New phishing emails only offer two such moments, and they are much more passive. That makes phishing more dangerous.

And that’s partly why ransomware made the biggest jump in Verizon’s list of most common attacks.

Message not hitting home

Email users still aren’t getting the message. As Verizon’s report puts it: “Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff.”

So what can you do? Don’t be afraid to give—or receive—old warnings about diet, exercise and phishing. If you are too smart for all this, endure the training for the sake of your colleagues, and your organization. Someone on your team—probably several someones—has clicked on a phishing email recently. The data you save may be your own.

In addition to training, organizations can help themselves by filtering out phishing emails so they never get to employees in the first place. And perhaps most critically, they should carefully segment networks so when human nature strikes, the damage is limited.

More stories related to phishing:
How organizations can avoid getting hooked by phishing scams
Sophisticated spear phishing attacks becoming more common
Cyber criminals go spear phishing, harpoon executives