The psychological nature of phishing ensures that users will slip up now and again, and because hackers are continually honing their techniques, so will email filters. This means that while there’s no single technology that will stop 100 percent of phishing emails and no cure-all to make people stop clicking on them, a combination of these key components represents the best way to stop phishing emails:
AI-based anti-phishing technology
Most anti-phishing technologies scan for fingerprints—unique identifiers of the email, including the header, footer, subject line, or email body. If the email filter recognizes the fingerprint, it will block the email. But if a hacker makes even a slight adjustment to any of those identifiers, a fingerprint or statistical-based filter will not recognize it, and the phishing email will be delivered.
Machine Learning algorithms represent a more intelligent solution than traditional fingerprint scanning because they recognize behaviors in addition to fingerprints. Behavioral analysis can stop phishing emails by identifying obfuscation and bypassing techniques that fingerprint-based filters cannot. Common techniques include URL redirects and shorteners and Bayesian poisoning, a method of inserting data into code to disturb filters.
Computer Vision, a branch of Machine Learning, analyzes images rather than text. This recent advent in anti-phishing technology was developed in response to the emergence of image distortion in phishing emails. Brand logos are a nearly universal component of all phishing emails, but they also leave a fingerprint. Hackers use distortion techniques, including changes to color and geometry, to bypass filters. Computer Vision algorithms can also recognize and parse QR codes, which are common in sextortion emails.
Phishing awareness training and reinforcement
Despite the booming phishing awareness market, phishing emails continue to trick users and cost businesses. That isn’t to say that phishing training isn’t effective. It’s highly effective. According to Verizon’s 2019 Data Breach Investigations Report, click rates on phishing emails dropped to just three percent in 2018.
Verizon also examined the click and reporting rates of users in simulated phishing exercises. Early in training, users are less likely to click on malicious emails (two percent), but after the first hour of training, click rates rise to nearly eight percent. Reporting phishing emails, which is critical to stopping phishing emails, drops off after the first hour of training.
Despite the reduction in the overall click rate, the data reveals that phishing intelligence is tied to the recency of phishing training. Annual training, which is the norm for most organizations, is clearly not enough. Simulated exercises must be augmented with continual training that reinforces best practices and is not only more realistic but also more memorable.
Phishing simulations are manufactured, but contextual training ties phishing training to a real-life event: a phishing attack. Unlike a simulated exercise, the training is not random but adapted to the user’s experience: If a user clicks on a PayPal or Microsoft phishing email, they receive an alert that includes an invitation to complete training content that is based on PayPal or Microsoft phishing emails. The result is a more memorable training experience because the user experienced the phishing attack firsthand.
Reporting and feedback loops
According to Verizon, only 17 percent of phishing attacks are reported to IT. This low number could be tied to the waning effectiveness of training over time. But it could also reflect what is a general lack of understanding about what happens when a user reports a phishing email.
Reporting an email threat does more than alert IT to a single email or potential wave of emails. A phishing email that slips past a filter is a false negative, a mistake on the part of the filter that has to be mitigated. Typically, IT will send the email to the security operations center (SOC) of their email security vendor. The SOC will then use that information to train and improve the efficacy of the filter. If the user deletes the email, then none of these actions can take place.
Reporting emails is critical, but giving users a tool to report is equally important in the effort to stop phishing emails. To discourage users from deleting or ignoring phishing emails and encourage them to report, offer an email feedback loop that is integrated into your email client.
Vade Secure for Microsoft 365 users can report email threats directly to our SOC by clicking the Junk or Phishing buttons in Outlook. This feedback loop provides a simple, one-click solution to reporting email threats immediately, reducing lag time between email delivery and threat mitigation, making users better reporters and strengthening the email filter.