According to the latest report from NIST, one of the most critical factors around whether a user clicks a phishing email or not is context.
Phishing is all about convincing the recipient that the email is valid and, therefore, needs to be read and addressed. As humans, we look at the email and derive its context to determine whether we believe it’s necessary to open, read, and click through.
A number of factors come into play when determining context:
- Sender – Either the individual or the company may be known to the recipient. Using sources like your organization’s website, social media, LinkedIn, data.com, scammers can identify people and companies that appear credible.
- Subject – This all comes down to the relevance to the recipient. The more it means something to the recipient, or the more it captures their attention, the more likely the email gets opened.
- Email address – Users today should know by now they need to look at the sender details. If it looks legitimate, it’s generally a good sign users will continue reading. Keep in mind scammers do find ways to make email address domains look legitimate.
- Email Details – This is where context can shine. If the email’s timing, relevance to the recipient, dropped names, etc. all seem legitimate, the recipient won’t think twice about its credibility. There a great example in a recent blog of mine around mortgage wire fraud scams.
- Emotional Buy-In – Scammers know if they can get your users excited, angry, worried, or delighted, they have a better chance of getting a click. An email telling you there’s been unusual logon activity on your Google account (with a “click here” to logon and review the unusual activity) would probably get most of us to at least pay attention for a moment, if not to follow through completely.
Cybercriminals who are phishing (and not spearphishing) use common use cases that will get the most attention – a package delivery, an invoice, account issues at major online businesses, etc. There are countless scams that apply to the masses – both personally and professionally – making it possible for pure context to be what pushes an email over the tipping point of success.
So, what can you do to combat phishing scams with really impressive levels of context?
According to NIST, there are three parts to the strategy:
- More User Education – Users need to be trained on the latest scams, methods, and be taught what to look for. This is better known as Security Awareness Training.
- More Technology – NIST feels the solutions put in place need to move beyond just being reactive, and focus on stopping a threat before it ever even has a chance.
- User Reporting – Organizations need to make it easier for users to report attacks to IT. This allows IT to respond, including informing the remainder of the user base, minimizes the threat potential and the damage. Here is a way to do that for free.
While technology does have a role, you can see from the list above, users play a far greater role in both proactively stopping a threat, as well as responding to one. So, as you review your current security strategy, and the solutions used to create a defensive layer, consider the human factor – users are your last line of defense, and may prove to be a better barrier to attack than even the most cutting edge software.
Download, print (and laminate) this Social Engineering Red Flags for your users. It's a great, free job aid. (PDF)