Why Customer Education Doesn't WorkFighting Phishing, Malware Requires Technology
See Also: You've Got BEC!
The FBI's recommendations were educational in nature, informing users of what may constitute a potential phishing scam. Since then, other industry pundits have called for better end-user education as a means to solve the spear-phishing problem.
The first step is to understand what the criminals are trying to accomplish, which is credential theft and malware infection.
While user education is valuable, needed, and helpful, there is one problem with this approach - it only partially works, and partially working is simply not good enough.
We've been taught our entire lives to not fall for scams. We're pretty good at avoiding most of the scams that come our way. But the Internet provides a number of advantages to scammers that render human observation and "street smarts" powerless.
Sure, there are certain types of phishing e-mails, such as winning a foreign lottery or being named heir to a massive fortune, that most of us consistently identify as fraud. Unfortunately, there are some who do fall for these hoaxes.
Abraham Lincoln's quote about the ability to "fool some of the people all of the time" is appropriate here.
Let's assume that we could train every single person who uses the Internet to identify every single "standard" phishing e-mail that comes along. Will that solve the spear-phishing problem?
Look at the following list and identify which one(s) represent a scenario where user credentials are stolen or information-stealing malware is installed on the end-user's device.
- You receive an e-mail from your brother's work account and you open an attached photo.
- You visit a local sports website you frequently read.
- You click on the link in a Tweet posted by a well-known industry analyst.
- You install an application downloaded from a popular software site.
- You save files to a USB drive you received at a recent trade show.
- You click on a link in a poorly worded e-mail claiming you inherited $100,000.
- You buy a new PC from a big box store and turn it on.
- You surf the web, visiting reputable websites such as NBC.com.
- You open a spreadsheet sent to you by your company's finance department.
Before we identify which of the above scenarios are potentially harmful, it's important to understand just how resourceful and intelligent cybercriminals can be.
Some of these folks are former government-trained cyberespionage experts who are now applying their skills to commit cyberfraud. Others are self-trained hackers connected to a sizable underground community of like-minded criminals who continually work to beat the most sophisticated military, government and financial services cyberdefense systems.
And sometimes they're successful.
The point is, the typical end-user relying simply on his brain, no matter how well-trained, is no match for today's cybercriminal.
Now, back to the list.
Did you find the scenarios that are used to steal credentials or install malware? The correct answer here is "all of the above."
These scenarios are not hypothetical; they have actually been used to steal user credentials and secretly install malware.
Not so easy to identify, are they?
Spear-phishing only represents one method for stealing credentials and installing malware.
Let's even argue that with comprehensive, ongoing training and full, ongoing diligence, the typical end-user could uncover the link some or most of the above scenarios have to fraud. What would the cost-benefit ratio be?
Ongoing training is resource-intensive and takes users away from work. Ongoing diligence is time-consuming and mentally draining.
If users are required to suspect virtually every situation they encounter when online, how can they perform their jobs at their highest levels?
I argue that fighting advanced cybercrime requires equally advanced cybercrime detection and prevention technologies - fight fire with fire.
Rather than relying on our employees to identify and avoid all potential threats (which is impossible), let's augment human judgment with computing power.
The Criminal Mind
The first step is to understand what the criminals are trying to accomplish, which is credential theft through phishing and malware infection to enable credential and data theft.
While some older technology is no match for today's cybercriminals, newer, proven technology is available that reliably prevents end-users from divulging corporate credentials to phishing sites. Proven technology is available that reliably prevents the installation of malware on end-user devices.
Both of these technologies function with little to no end-user interaction. This approach allows employees to focus on their jobs, relieving them of the constant vigilance required to avoid cyberscams. And our employees will always be better at their jobs than they will be at identifying online scams.
George Tubin is a banking expert at anti-malware and anti-phishing provider Trusteer.