There’s no doubt that general awareness for cybersecurity has been on the rise in recent years. The importance of using strong passwords, for example, is now common knowledge. But one very popular and effective threat continues to fly largely under the public’s radar: phishing.
Why phishing? Researchers found that 30% of phishing messages are opened according to the 2016 Cisco Annual Security Report and adversaries know how effective a phishing campaign can be. To give you an idea of the scope of the problem, www.phishing.org reports that over 100 billion phishing e-mails cross the internet each day. They also report that about two thirds of all attacks start with a phishing campaign.
There are several reasons for these figures. All of them rely on human psychology. For the attacker, it can take days or weeks to break through the cybersecurity of an enterprise. Spend a few days building an attractive phish e-mail, spam 1 million copies of it across the Internet and in a few days you might have 120,000 hits, including stolen login credentials for thousands of businesses, personal bank accounts, who knows what they might find?
The attacker will use psychological manipulation to persuade the target to click the link. This is a real problem for organizations. Everyone should understand what the psychological buttons are that these guys are using every day. Here’s a few links that summarize what those tricks are and how the attacker will exploit them.
- Sans Institute has an archive of research papers done by students working toward technical certifications. This one is a well-organized breakdown of phishing hacks into four broad psychological categories, with a discussion of specific tactics used in each category.
- Network World offers a different breakdown of the how hackers exploit our psychology, with a tighter focus on what emotional buttons are successful in getting the reader to CLICK.
- Merchant Link breaks down the psychological buttons into 7 categories. I don’t really care if it is 4 or 5 or 7. For me, it is being aware that the buttons exist to be pushed.
In many cases, users may come up with excuses as to why they should be able to safely avoid cybersecurity issues. There is another way to approach this problem.
Encourage your users to be curious instead of fearful. Make a game of spotting phishing clues. Use some of the links I provide and others you find (google “how to spot phishing email” for a start) to learn what clues to look for to determine if an email is a phish.
I’ll wrap up with a few more links if you want to know more.
- Phishing is a form of social engineering. Turns out, there are sites focused on just that topic, like this one.
- If you’re looking to improve your organization’s email security approach, check out the resources at: cisco.com/go/emailsecurity
- You can also learn what five features your next email security solution must contain to combat threats like phishing, ransomware and business email compromise in our Email Security Buyer’s Guide.
- The US government provides many resources:
October is Cyber Security Awareness Month, and Cisco is a Champion Sponsor of this annual campaign to help people recognize the importance of cybersecurity. For the latest resources and events, visit cisco.com/go/cybersecuritymonth.
I think your link to the SANs report is broken. Takes reader to InformatonWeek article. Not the SANS page
Thanks very much for pointing out the broken link for the SANS paper. The correct link is here: https://www.sans.org/reading-room/whitepapers/incident/psychology-hacker-psychological-incident-handling-36077