“Security pros constantly invent better mousetraps, but the mice never stop evolving,” is Josh Bartolomie’s first statement in the report. The Director of Research at Cofense goes on to ask: if the ‘mice’ keep evolving, how exactly can organisations stop attacks?

Anton Jacobsz, CEO at value-added distributor Networks Unlimited Africa, a distribution partner with Cofense in sub-Saharan Africa, says phishing attacks rely on a single moment of inattention or ignorance.

“A link is presented and, if it’s followed, can become front page news,” he says. “Even for savvy technology users, a moment of inattention can result in horrendous consequences and we know that, if a business’s IT infrastructure is able to stop employees from receiving the bait in the first place, no one can bite.

“But what about the phishing messages that make it through? Yes, cyber crooks are continually evolving their approaches, but ongoing user education will ensure that even the people least comfortable with computers understand how to identify, report and avoid the threat, and that has got to be a good thing.”

People have been receiving requests for assistance from Nigerian princes for as long as one can remember, says Jacobsz. They are the source of many jokes and memes to those in the know and yet, these attempts still find (and fool) everyday people. The approach survives because it relies on human flaws instead of flaws in computer soft- or hardware, and phishers are experts at the art of confusion.

The report clarifies: ‘[They] confuse people into inputting passwords or other credentials the attackers want… it’s all about and around social engineering; getting or tracking somebody into getting or giving you something you normally would not want to do.'

Why do people still fall for phishing?

How is it that people are still falling for the phishing, vishing (telephonic), smishing (SMS fishing), pharming (web site interception and redirection) and whaling scams?

According to the report phishing emails and websites are often extremely convincing. Usually, the only way to tell if a message is legitimate is to hover over the links in the message with a mouse but even then, the link might be so familiar that most message recipients wouldn’t flag the message as fake.

“Defeating these cyber crooks often means understanding them, and while we all think hackers are evil geniuses, thanks in part to Hollywood movies, learnings thus far show that they’re usually just a person apparently standing in front of another person asking for help,” says Jacobsz. “Usually, this request is for the delivery of money and perhaps less usually, it’s delivered hand in hand with a threat of some kind.”

The most recent example of mass spear phishing is one that saw an attacker email ordinary people, mentioning a comprised social media password. The message claimed the user’s email password was the same as the compromised password but offered to leave the email account alone in return for ransom.

“Because most humans still use the same password for everything, the attack has probably scared at least a few people into paying up,” says Jacobsz.

Phighting the phishing phenomena

He advises that the secret is to reduce vulnerabilities within the organisation as much as possible.

“Two-factor authentication and strong password security are musts, but these steps are only the beginning,” says Jacobsz. “The best defence is combining security awareness training with good technology.”

The report says by making it technologically more difficult to execute attacks, we give IT defenders a wider window to prevent the attack running through the network, minimising damage.

However, Cofense’s Bartolomie says when it comes to humans and threatening emails do slip through the cracks, attackers seem to target lower-ranking employees with mock demands, perhaps in the form of a message supposedly from a senior business executive - a method that has proven very successful.

“Executives are also major targets in and of themselves in that they might have more in-depth access than other employees.”

Fellow contributor to the report, Matthew Verhout, vice chair of the Email Experience Council, says that are four ways to fight phishing and they are as follows:

1. Get educated. Consider investing in phishing awareness training for employees.
2. Improve business processes. When dealing with large monetary transfers, build a secondary verification into the process.
3. Invest in solid technology. A good anti-spam product is the first line of defence and will help catch many fraudulent emails before they reach the inbox.
4. Craft a response plan. Mistakes happen. Knowing a plan is in place in the event of a successful phishing attempt will rally an organised approach to minimising the attacker’s access.

“It is a shared statement throughout the paper - the best defence is making employees see the benefits to joining the company’s protection efforts,” says Jacobsz. “Transparency and ongoing communication and education can help. Another idea would be to publicly acknowledge employees who have spotted suspicious messages and share examples of what these attacks look like via the company newsletter, so people know what types of communication to avoid.”

 “As Bartolomie says in the report, and I paraphrase, the mice might keep evolving and companies can get better at not leaving cheese out, but we must all keep working on better traps,” he concludes.