While technology plays an important role in protecting organizations from cyber threats, spear phishing attacks focus on the human element to ensure success. No technology solution is 100% effective in thwarting spear phishing, according to PhishMe.
A recent study by Trusteer continues to perpetuate the misconception that technology alone is the answer against spear phishing attacks. The study was based on a spear phishing test against 100 LinkedIn users and found a 68% failure rate.
While a 68% failure rate seems high, it is not an unusual number for a group that has received no prior education or training in how to spot phishing – or at least training that is meant to be effective. A more accurate study would have conducted another test following an education session of the same 100 users to measure the effectiveness of the training.
“While we can agree with their claims of social engineering making it “easy to drive corporate users to fake websites that could potentially download malware onto their computer,’ it is the way they draw their conclusion, their methodology, and their claim that only a technological solution is the answer, that we take issue with,” said Rohyt Belani, CEO, PhishMe. “Companies need to be proactive in educating their customers to ensure they know what to look for to effectively reduce the risk of falling victim to phishing attacks. The reason spear phishing attacks are so popular, is because they work.”
Browser sandboxing solutions attempt to protect against click-based malware. While these methods can be effective within the confines of a user’s browser, a significant number of spear phishing attacks propagate malware via file attachments to email that are opened outside a browser (e.g. via Outlook), leaving the user vulnerable.
“Social engineering is a human issue and should be addressed as such,” added Aaron Higbee, CTO, PhishMe. “Sweeping claims like those made by Trusteer can lead to a false sense of security in the minds of end users, resulting in complacency leading to a compromise. Continuing to let users believe that if their security solution allows something to make it into their inbox, that it is safe, is irresponsible. We need to proactively teach people to be suspicious and know what to look for as a threat, regardless of existing security protocols.”