To Fight the Phish, Advanced Technology and Awareness Training Must Coexist

A few years ago, I wrote in Dark Reading around the limitations of phishing education. What I was trying to emphasize in the article  was that employees can be an organization’s weakest link - or its strongest. While I still believe this to be true, I am also of the mindset that we should continuously build on the advancements in artificial intelligence (AI), machine learning and other emerging technologies to achieve a well-rounded approach to email security. 

While employee awareness training will always play a central role in phishing mitigation, it’s never been, and never will be, an effective tactic on its own. Increasingly, IRONSCALES has seen attackers deploy clever, sophisticated scams on a massive scale that even the most well-trained employees struggle to identify. The daily onslaught of spear-phishing, business email compromise and social engineering messages built specifically to bypass legacy gateway controls and trick recipients into action make it all but impossible for employees to stand a chance over time. 

The Culprits: Attackers prey on attention span and curiosity

So, why do people, even those who have undergone phishing awareness training, struggle to identify phishing attacks themselves? The truth is, even the most sophisticated eyes, including people who work in cybersecurity, often fall for phishing scams. 

According to a study from Microsoft, people generally lose concentration after eight seconds, which equates to a shorter attention span than a goldfish. With an abundance of smart devices available, an increasingly digital lifestyle, and a busy work schedule, it's easy to see how modern stimuli can make it difficult to identify a suspicious email. 

Further, curiosity is stronger than the sense of security, especially when it comes to an employer's computer. According to the same Verizon report mentioned above, 12% of users consistently open phishing emails - and, to boot, 4% click on malicious links despite knowing the risks. My career in email security has taught me that curiosity and interest are natural human traits and, with the right timing and context, people will click on a link despite their security awareness.

As my colleague Ian Baxter has pointed out, this all adds up to a psychological phenomenon known as inattentional blindness. Defined as an individual failing to perceive an unexpected change in plain sight, inattentional blindness became an internet sensation in 2012 when a video posted asking viewers how many white shirted players passed a ball. Intently focused on the task at hand, more than 50% of the viewers failed to recognize a woman in a gorilla suit in the middle of the picture. Thanks to inattentional blindness, most people do not immediately see visual similarity clues, wrongly assuming a phishing scam or fake login page as legitimate. 

How organizations should supplement phishing awareness training 

From the proliferation of fake login pages to the noted threat of social engineering attacks, email security can seem like it’s in a perilous state. The fact is that organizations that solely rely on security awareness training and legacy technology, such as secure email gateways, are poorly positioned to identify and remediate 2020-style threats. 

That’s why the team at IRONSCALES has taken a different approach to secure inboxes. Over the past few years, we’ve implemented computer vision and natural language understanding (NLU) to buttress our AI and machine learning platform capabilities.

Why is this necessary? 

The email threat landscape has changed. Attacks today are socially engineered to make people activate flawd processes, such as wiring money, buying gift cards or changing DB records. 

Where humans fail, AI has the capability to go beyond signature detection and dynamically self-learn mailbox, and communication habits. Thus, the system can automatically detect any anomalies based on both email data and metadata, leading to improved trust and authentication of email communications. Anything predictable will be automated by AI, leaving the human worker to make easier and much more informed decisions.

Further, if 4% of users are consistently clicking on phishing emails, then it’s up to companies to incorporate new security measures to stop those emails from reaching inboxes in the first place. I have long stood by the assertion that the combination of human intelligence and technology is the key to better preventing and spotting phishing attacks. And that it only takes one person to click or take an action to send a business in a downward spiral. 

Computer vision and NLU empower our platform to automatically baseline human behavior and normal activity. This enables us to understand both the content and intent (“what”) of suspicious messages, and at the same time, validate sender identity and domain authenticity (“who”), which is what legacy email security tools and authentication protocols focus on. This added contextual analysis not only helps to identify social engineering, but it enables verdicts to be rendered before an email hits an employee’s inbox. 

A well-rounded approach to email security

But that’s not enough. As evident by our recent investment in phishing simulation and training, we do believe that there is a time and place for phishing awareness training. But as we’ve always said, human defenses are just a small piece of the very complex anti-phishing puzzle. 

Regular phishing tests are a great way to increase employee engagement with security initiatives and provide employees with tangible, real-life scenarios to improve their security behavior. However, as we’ve pointed out, it's unrealistic to entrust the workforce with the massive responsibility of stopping phishing alone.

IRONSCALES offers security professionals and end users an AI-driven, self-learning email security platform that provides a comprehensive solution to stop tomorrow’s phishing attacks today. Using our decentralized threat protection network, our platform helps companies prevent, detect and remediate phishing attacks in a matter of minutes, not hours. We give organizations of all sizes complete anti-phishing protection against any type of phishing attack, right now.

We believe strongly that the best email security comes from the synthesis of artificial and human intelligence. Let us show you why.