Phishing costs billions of dollars in lost assets and damaged reputations every year, and the trend shows no signs of abating. The relative ease of executing a phishing attack coupled with the lucrative payoff ensures that phishing will continue to plague online interactions.
Studies show that human error is responsible for most cyber breaches, and that some form of phishing lure, be it email, web, app, or social network, comprises the first phase of more than 90% of those breaches.
To counter human mistakes, many organizations have implemented security awareness programs to train employees and contractors how to identify phishing scams and avoid the hook. But outside the company, beyond the network perimeter, customer end-users remain vulnerable and ill-equipped to fend off advanced phishing attacks. What is the best practice for protecting customers from online frauds such as phishing? Is customer education a reasonable goal? Where should organizations invest their customer-facing cybersecurity or counter fraud resources – in anti-phishing education?
To answer these questions, it helps to understand how well security awareness programs are working for employees and whether lessons learned can be applied to customer communities.
Will they ever learn?
CISOs, Fraud and Risk Manager must be pulling their hair out in frustration. Even after security awareness training and refresher courses, high percentage of personnel continue to fall for phishing scams. It’s not because they didn’t pay attention in training class. It’s because threat actors are able to impersonate company websites and other digital channels so well, the phishing attack is practically impossible to spot.
Not only does a counterfeit site/email look and act like the real thing, it has all the security trappings you expect to see. Even security-aware users are tricked into interacting with the phish and divulging logins, passwords, account numbers, and other confidential information.
To illustrate the point, the Segasec team was asked to simulate a phishing expedition against a particular bank. We invited one of the bank executives to log into his account. He did, and saw that his balance and recent activity was spot on, just as he expected. We asked him to move money to another account. He did, and the money moved, just as expected. But the whole time, he was on a mirror site – getting phished. He couldn’t believe it. The site looked genuine and the user experience was completely familiar.
If a security-trained bank executive can be fooled, what chance does the bank customer have?
Security awareness education isn’t enough
At Gartner Security & Risk Management Summits in 2018, Gartner advised company CISOs to “use technical controls to block as many phishing attacks as possible. But make users an active part of the defense strategy.” In other words, combine anti-phishing technologies with security awareness training to defend against attacks and reduce breaches.
This is practical advice because security awareness training on its own is not enough to defend against phishing attacks. Security awareness vendors report that on average, after an organization executes a security awareness training program, employee interaction with phishing emails is reduced from about 50% before training to 15% after training. While that’s a significant reduction, the organization remains at risk from the 15% who are still likely to get phished.
When you factor in the cost of training and of managing the security awareness programs, and overcoming employee resistance to policies that they see as a hindrance to productivity, the challenges are significant while the results are only partially effective at best.
That’s why Gartner stresses the importance of using technical controls to block as many phishing attacks as possible.
Customers are not a captive audience
Now, let’s apply the security awareness model to customers, who constitute a much more diverse and unmanageable demographic than employees. Security awareness training for customers may not only be impractical, but counter-productive.
- Customers are not a captive audience (don’t we wish they were!). You can’t “mandate” their participation in training programs.
- Security awareness initiatives could arouse customer concern that doing business via your digital channels is not safe.
- Consumers want to know that your company is taking care of cybersecurity so they don’t have to worry about it, bottom line, they can TRUST it. 79% of consumers believe organizations have an obligation to take reasonable steps to secure their personal information.
- Reputational damage can be the top business impact from security breaches. After a breach, 65% of customers lost trust in the organization, and 27% discontinued their relationship with the organization.
Where customers are concerned, clearly the best practice is to focus security resources on first part of Gartner’s advice – use technical controls to block as many phishing attacks as possible, before they reach your customers.
Intervene before phishing attacks impact customers
The best way to stop phishing attacks on your customers is to be proactive. Take the battle to the threat actor’s domain, where phishing campaigns are under construction and can be pre-emptively neutralized. The best way to do this is to be proactive and use technologies, like Segasec, that are able to detect, monitor, and disarm counterfeit phishing sites, and compromised servers before campaigns launch. With a 99,97% catch rate and zero false positives, the benefits of proactive anti-phishing controls are much more effective than education programs in helping to:
- Prevent your online assets from becoming the bait in a phishing attack.
- Stop ruinous phishing attacks that steal customer data and dollar assets
- Shield your brand equity from malicious exploitation
- Protect the customer experience with your organization and services
It has been our experience that when threat actors are thwarted over and over again, they move on to easier targets. That’s a bonus that even Gartner didn’t anticipate!