Occasionally you will hear people or organizations claiming that they are on the verge of eliminating all social engineering from reaching end-users. Could it be true? Could it happen one day? Could some product or service be created that prevented all social engineering and phishing from reaching end-users?
It would be nice if it were possible. Social engineering and phishing have been the number one method used by attackers and malware to exploit computer devices and their users since the beginning of computers. And year after year, it seems not only that social engineering and phishing continue unabated but so far it is ever increasing. Every new year breaks records for the amount of social engineering and phishing sent and for the increasing number of victims.
People often wonder will automated technical system defenses (e.g., content filtering, anti-spam/anti-phishing, antivirus, etc.) ever get good enough so that no social engineering or phishing gets to an end-user?
No.
Imagining a world in which no social engineering and phishing gets to end-users is like imagining a world where all real-world crime is gone. It’s like trying to prevent all sin. It’s essentially the same argument. It’s impossible. Even just trying to significantly minimize it to the smallest reasonable amount we could all live with would take draconian measures that would severely hamper legitimate business.
There’s a tired canard in computer security that goes something like this, “The only truly secure computer is one that is powered down and sealed in concrete inside of a locked closet.” It’s secure, but no one can use it. “Perfectly secure” systems immune to social engineering and phishing would be extremely hard to create without significantly limiting the usefulness of those same devices. Instead, we all knowingly or unknowingly allow some percentage of risk to occur to use our computers.
This isn’t surprising. We make the same sort of risk/security trade-off with many other things we use in our lives. For example, car accidents are one of the biggest causes of death and injury. We could make them significantly safer. We could mechanically prevent them from going over 5 mph and require all riders to wear auto-racing-like seat belt harnesses and full face-safety helmets. That would prevent most traffic accidents, but who wants to live in that world? It would be highly unproductive and even unpleasant. Who has an hour to drive 5 miles to the store every day or three hours to drive to work each way? Who wants to take 2 minutes to get into their seat belt or be drenched in sweat when they arrive?
Instead, we allow our cars to be fairly high performance and accept the attendant risks. Cars are becoming safer every day. We are adding all sorts of collision avoidance sensors, anti-lock brakes, and even eventually hopefully safer autonomous driving. But even when everyone has a far safer car experience, there will be accidents, injuries, and deaths. It’s simply unavoidable in a world where we want to use vehicles to enrich our lives and make our lives more productive. And let’s not forget the very high risks of using ladders and bathtubs around our house. Based on injury statistics alone, if we didn’t use them all the time as part of our regular lives, they would likely be banned by some well-meaning government health agency.
The same is true of computers. Everyone is doing everything they can to make computers a far safer place to be. Many organizations, including Google and Microsoft, have spent many billions of dollars trying to prevent social engineering and phishing attacks get to their customers. And with even those largest of companies trying to stop badness from getting to their customers, they often fail. This recent article, for example, says nearly 19% of phishing emails still get through Microsoft’s best defenses to its customers. Google claims to block 99% of phishing emails, which sounds good until you realize that 99% of hundreds of billions of fraudulent emails equates to still a lot of social engineering and phishing getting to end-users. And Google admits in the same document that 37% of malicious documents get through to its customers. It’s really hard to stop cyber badness even with almost unlimited resources and the best technology.
Why is it so hard to automatically detect and prevent all social engineering and phishing?
In a nutshell, it’s like saying how to detect all crimes. There are many ways of doing it. Even if a system was developed that could accurately detect all of today’s social engineering and crime, attackers would just shift their tactics to methods that aren’t well detected. That’s already what’s going on today. Today’s anti-phishing filters attempt to detect as much phishing as they can, and the attackers make a little change to get around the defenses. Defenders change their detection algorithms to detect the attacker’s changes and the attacker just changes again. Unfortunately, defending against cybercrime means the defenders will always be one step behind the attackers. Well, at least until someone comes up with a better method that no one has been able to develop after over 40 years of trying.
It's very likely that we will have social engineering and phishing with us forever, just as we have real-world crime and car accidents with us forever. The best that society can do is to try and limit the amount of it and make it less likely to severely harm most people most of the time.
For fighting social engineering this means individuals and organizations creating a culture that mitigates most social engineering and phishing. It means creating and following good policies, implementing the best defense-in-depth combination of technical defenses, and educating everyone about common social engineering schemes and how to detect, mitigate, and report them. That’s the best anyone can do.
Social Engineering Isn’t Limited to Emails
It’s important to remember that social engineering and phishing aren’t limited to emails or the web. Social engineering and phishing can come in many forms including: SMS phishes, voice-call phishes, social media phishes, WhatsApp phishes, in-person social engineering, and entrance tailgating. The problem isn’t just email or websites, it’s wherever a social engineering attack can happen. It’s the message, not the medium.
KnowBe4 believes that all organizations and their employees need to create a culture of healthy skepticism toward scenarios where social engineering and phishing are common. End-users need to be taught how to recognize a potential social engineering or phishing attack, how to prevent it from being successful, and when to report it to the appropriate person or team.
Here's how it works:
