The problem isn’t the lack of software designed to detect, prevent, and protect – it’s that human response is a required part of every phishing attack that users seem to be happy to oblige.
The bad guys, no matter how sneaky, sophisticated, and technically advanced they are, they are still constrained by the applications and operating systems their victims use. That means that as much as they’d love to have malware automatically install the moment an email was received, they need the owner of the mailbox to open the email and click the malicious link or attachment.
In short, bad guys need humans to behave a certain way to see a successful phishing attack.
According to Jeff Orr, security analyst and Senior VP of Products at Ventana Research, “Simply put, people want to do their job. And in many jobs, there is a need to click on links and open attachments.”
So, as the bad guys get better at mixing targeted attacks with contextually-appropriate social engineering, they are more likely to convince their victim to engage with the email and its malicious contents. “Phishers often use psychological tricks to get users to take action that they might not usually take, preying on an employee’s desire to be helpful or their instinct to do what an authority figure tells them to do,” said Forrester VP and Research Director Joseph Blankenship.
So, how do you overcome this native human instinct to, in essence, become a victim?
As part of a layered security strategy, Orr recommends Security Awareness Training. “Educating your workforce to recognize phishing attempts. Ensure that you implement ongoing training, have mechanisms for reporting phishing, and test and measure performance.”
To find out more about what should be a part of this kind of training, checkout more detail from the Forrester Wave for Security Awareness and Training Solutions.