Phishing Fatigue. PHOTO: Cybercrime Magazine.

Why Employees Remain Vulnerable To Harmful Phishing Emails

Misconceptions and overconfidence lead to clicking on scams

Erica Martin, Marketing Coordinator at Hoxhunt

Helsinki, Finland – Aug. 27, 2020

Many employees have some degree of knowledge about what a phishing email is. They may also know how hackers can use phishing to gain access to confidential data at work or in our personal lives. Every company also has some standards and policies to advise employees on how to practice safe online habits.

Whether employees truly understand those policies may be a tougher question to ask. Unfortunately, employees often lack awareness of the number of security threats facing the company. They also overestimate how prepared the organization is to handle cybersecurity attacks. These are a couple of issues you can tackle with people-first phishing training.

In this article, we will outline some common misconceptions about phishing emails. Then, we will explain why people are often overconfident, both in their abilities to spot a phish and in their organization’s ability to mitigate attacks.

[ Hoxhunt provides Automated Phishing Training and Response. Plus: Learn how to gain leadership support to invest in people-first phishing training. ]

Common misconceptions about phishing emails

If an employee is familiar with the term “phishing email” they likely will recall some of the most well-known examples. They think of those emails that seem so obvious to spot that they think only idiots would fall for. However, even the “obvious ones” may not be as easy to spot as people think.

In a previous article, we discussed how the lazy attacks can blind us from the exceptional ones with examples of sophisticated Office 365 attacks. Anyone can fall victim to an attack, and a lack of training and awareness does not make people stupid.

Medical scams or a long-lost relative being held for ransom are all examples of common email phishing attacks. However, just because they are common, doesn’t mean people aren’t still falling victim to these attacks.

In 2018, over $700,000 USD was reported lost (by Americans alone) to the 419 scams. This is an attack-type that has been around for a few decades.

These are the most common instances that people think about when they hear about phishing and when they think about security awareness training.

But why do these scams still work? The reason is social engineering.

Tried-and-tested attack vectors like the 419 scam have been adapted over the years and hackers are using more innovative measures and psychology against us. This adds another layer of difficulty to detection. Hackers are not successful with 100 percent of the phish emails they send out, but they are constantly looking for ways to increase their success rate, which is why employees also need continuous security education. Remember, one wrong click could be enough for attackers to succeed.

These are some other examples of hackers using social engineering, and these were highlighted at Tessian’s 2020 Human Layer Security Summit:

Urgent yet reasonable requests: “within 2 working days.” This sounds like a reasonable request you would receive from a boss, which is why it works for hackers because employees are more likely to take action and assume it is legitimate.

After-hours messages: Employees tend to check their emails outside of their daytime work hours on their phone, which is why hackers will try sending messages at times employees may be relaxed with their guard down, for example on a Friday or Saturday evening.

Using curiosity and “accidental” CC: Hackers will purposefully CC an individual into a conversation that is unrelated to the topic or the type of work those employees may be working on. If the message alludes to a secret or sensitive information, curiosity may get the better of you. You may open that attachment in hopes of learning something confidential, but that attachment actually contains malware.

The combination of using social engineering with personalization can make phishing attacks challenging to spot. In order to spot these attacks in their corporate inboxes, employees need to receive frequent, practical training.

[ White Paper: A real approach to implementing machine learning in security awareness training for employees. Plus: Emails that mimic the latest real-life cyberattacks. ]

Are your employees overconfident that they know how to spot a phish?

A reason why employees may not be engaged in your organization’s security awareness training is because they already feel like they know everything there is to know about phishing. They are used to the annual training videos and they usually leave those training sessions without learning something new. However, an annual review session on security policies often only covers the most basic components.

Only 3 percent of employees believe it’s difficult to spot a phishing attack, but in reality, most corporate failure rates are much higher and most employees are not properly trained on how to handle truly personalized phishing attacks.

According to Glyn Wintle of Tradecraft, when you think you know what the attacker is doing and you think it’s stupid, then you probably don’t really know what they are doing. This may sound a little cryptic, but the point is that hackers may be smarter than you think. They want to use their own time wisely, and their objective may not always be to extract money from you the second you give them what they want.

Social Security numbers, medical records, company credentials, and email addresses are just some of the targets that hackers can use against us to damage our lives at home and at work. For example, hackers may target credentials and then wait for the right time several months later to use them and impersonate you at work or they may sell the data to the highest bidder.

[ Protect remote workers with automated security training to confidently recognize and report all cyber threats. Plus: 5 ways attackers can bypass two-factor authentication. ]

Employees’ perception of the security department may be misleading

In a 2018 survey by Chubb on Cyber Risk, 86 percent of respondents underestimated or were completely unaware of how vulnerable their data is. That means that of the surveyed employees, the majority will click on a pop-up advertisement on an unknown website without thinking twice. They assume that their security department has everything under control to prevent a “small” mistake from making an impact, but this is a misconception that needs to be addressed.

Employees may not need to see a detailed list of threats the security team blocks on a daily basis, but security education is important. Educating employees about the growing amount of threats that the organization is facing and explaining some examples of “small” mistakes that can lead to a data breach can help raise more awareness about the importance of safe online habits.

Technology alone cannot solve human problems in security

Although technology can play a large role in defending the organization from an attack, even the best technology in the world cannot block out 100 percent of attacks. Employees often have a false sense of security at work because of technology. They know there is a team of people working in IT to protect their systems and network, and they assume that cutting edge technology will be able to protect them at every turn. This is far from the truth.

It only takes one human error to result in a data breach, which is why the human factor in security cannot be ignored. Tom Van De Wiele, principal security consultant at F-Secure, stated that criminal attackers live off perfecting the subtle social engineering tactics that trick employees into letting their guard down at work.

Hackers are counting on employees to let their guard down at work by crafting personalized messaging to lure them into taking an action that gives hackers access to what they want.  The best way to prepare employees on how to react and prevent them from making a mistake is through personalized phishing training. Solving the human factor of security requires the support and teamwork of all employees. By delivering frequent, personalized phishing simulations, employees will be given the proper skill set to identify and report attacks.

How personalized phishing training can make an impact

Today, hackers are not limiting themselves, and they are using a combination of technical skills and psychology to deliver highly personalized attacks. A strong cybersecurity strategy that protects the organization from these types of attacks requires a two-pronged approach as well, technology and human.

Phishing attacks can get through even the best technical defenses, and employees need increased exposure to the type of attacks and the level of personalization that hackers use in real life. Anyone can fall victim to an attack, from the CEO to the entry-level data clerk, which is why all employees need security awareness and phishing training. Training provides a safe environment for employees to become exposed to different types of socially engineered attacks. With repetition, employees will learn in phishing training on how to properly identify and report attacks in their inboxes, safeguarding your organization’s data.

Hoxhunt Archives

Erica Martin, Marketing Coordinator at Hoxhunt


Sponsored by Hoxhunt

Our mission at Hoxhunt is to enable everyone to protect themselves from cybercrime. We want you to be able to protect yourself, your family and your company.

To this date, changing employee behavior to a secure one has been incredibly hard. Organizations have tried pushing information to their employees in classrooms and in e-learning solutions. They’ve tested the results of these awareness campaigns with phishing tools and penetration tests, giving extra training only when an employee fails. While some of these methods are great for other purposes — like e-learning is for regulatory compliance. The actual results in changing employee behavior to a more cyber-secure point out otherwise, the traditional methods to patch the human component do not work.

That is why we built Hoxhunt. We want to turn employees from a company’s weakest link into the strongest asset against cyber attacks. Our gamified platform trains employees against phishing attacks in a fun and engaging way.