Last week a significant phishing attack was launched against customers of JP Morgan Chase, as detected by cybersecurity firm Proofpoint and reported by Reuters. As is typical of such attacks, an email impersonating the bank asked recipients of the phishing email to click a link that directed them to a phony bank website operated by the crooks perpetrating the scheme.
The attack included some new technical elements – if a user clicked the link the attackers not only tried to grab credentials to JP Morgan Chase’s systems via the phony login page, but also attempted to install malware that could lead to breaches at other institutions. That said, the basic attack delivery technique remained the same as it has been for many years: Criminals sent a message that looks like it is from a legitimate business and tricked users into clicking a link.
Why is phishing – an attack method that has been around for over a decade – still successful? Why are people still falling prey to such a simple scam? Why are you at risk?
The answer is simple, but, perhaps, a bit painful:
We’ve been focusing on technology, rather than on people. And when we do focus on people we do it wrong.
Phishing, and other spam-related attacks, do not exploit technical vulnerabilities, they leverage a technological medium to exploit human weaknesses. The difference is significant – and game changing. While technical weaknesses can often be addressed with technical solutions, curbing phishing and related scams mandates addressing the underlying human problem at their core — an issue has nothing to do with the digital age; deceptive actors impersonating legitimate parties have been conning people since the dawn of civilization.
In fact, a primary reason why phishing continues to be an effective method of attack – even after a decade of anti-phishing efforts – is precisely because anti-phishing technologies are often designed to combat phishing by implementing technical “solutions” rather than addressing the human source of the problem. Technical countermeasures can be circumvented, and if a human target is not otherwise shielded, problems occur. Software that attempts to block or erase phishing emails before a user reads them, for example, does nothing if a user is directed to a rogue website via a text message, and may, at times, even aggravate the problem by lowering a person’s guard when a cleverly constructed email does reach the user; the recipient thinks that illegitimate emails are blocked, and, therefore, grants unwarranted trust to messages that he or she does receive.
Oft-repeated advice to counter phishing is to educate customers about the dangers associated with clicking on links in unsolicited e-mails or opening unsolicited attachments. (See the FTC’s relevant webpage as an example.) While such a recommendation might, in theory, help, the fact that phishing is still a problem after many years of people preaching about the value of education clarifies beyond a doubt that education is, at best, a partial solution.
Fundamentally, the problem is that while technology improves rapidly, the human mind takes many years to adapt and evolve. That’s why over time we find criminals increasingly focusing on tricking users rather than on exploiting strictly technical vulnerabilities.
As I have said previously: The best way to protect people against phishing is to enable humans to distinguish legitimate entities from fraudulent ones, regardless of how the phishing solicitation reaches them. This can be achieved by leveraging real, psychologically-sound site authentication and the human response mechanism behind it, but not by implementing complicated technologies that can, at best, only deliver partial success, and, which, at worst, may condition users to fall prey to even more scams than they would have without the technology in place.
Ultimately, cybsersecurity is not about technology. It is about keeping people safe in an increasingly electronic world. When we need to protect humans against making mistakes, we need to apply knowledge of humans, not an understanding of electronics. The importance of such an approach is not limited to combating phishing; it is needed throughout the field of information security.
My business partner, Shira Rubinoff, was a psychologist before entering the information security space a decade ago. While she may have been a pioneer in making such a transition, and has been recognized in the industry for her relevant contributions to the information security field, there remains a severe lack of information security practitioners with similar human-related skills. If we are going to successfully curb attacks that exploit human weaknesses we will need the wisdom and contributions of many more experts on human behavior.
After all, which do you think will work better and at a greater scale – educating employees and customers for the umpteenth time about the dangers associated with clicking links, deploying the umpteenth generation of email filtering software, or actually helping people easier understand when a certain action is dangerous?