Phishing emails continue to rise, and they remain the most common way that organisations are compromised. Both at home and at work, we all need to be vigilant against phishing: the right phish at the wrong time can catch us all.
And, while email remains the most common way that cyber criminals phish us, it's important to be aware that phishing can take place over any channel. We're seeing more and more phishes over SMS text message, social media, phone calls, and messaging apps like WhatsApp.
So, what can we do to spot a phish? Traditionally, security professionals would give the advice to 'avoid clicking on suspicious links'. I've always found this pretty hilarious / depressing. If only it was that easy! But, I guess it's one better than the often-shared 'avoid clicking on links'. Links were designed to be clicked on!
Other advice includes looking out for grammatical or spelling errors, checking the senders address (by clicking on it to expand it) and hovering over the link to see where it is pointing.
There are many problems with all of this advice. Phishing messages don't always include grammatical or spelling errors (and the ones that do, sometimes do so on purpose, as I spoke about here). It's impossible to expand the sender's address or hover over the link on some devices. The latter advice also ignores the fact that phishing messages don't always include malicious links. Many have malicious attachments or encourage the recipient to share information or transfer money. Others are designed to lure targets in, for example warming them up to social engineering that then follows over a phone call.
And, that's before we even talk about how much more confusing this all is when many legitimate emails look a bit phishy. I'll never forget the time that I received a legitimate email with this disclaimer at the bottom:
Cyber criminals evolve their tactics. When we just teach a tactical response to phishing, we don't build resilience and we fail to future proof our defences. The best defence against phishing is a mindset.
For many years now, I've been teaching people to adopt an anti-phishing mindset when I deliver awareness-raising. And this is what I wanted to share in this blog post. Rather than training people in a tactical response to phishing, help them tune into an emotional response.
I teach people to tune into communications that:
are unexpected
make them feel something
ask them to do something
With this mindset as a foundation, I encourage people to then check with the supposed sender by another channel to see if it was legitimate - or, with corporate clients, to simply report it as a suspected phish. People will always click links or download attachments; encouraging them to report suspected phishes is far more important.
Not every phish will prompt an emotional response in the recipient. But the ones that do make the recipient feel worried, scared, curious, flattered or hurried are the ones that are more likely to be successful. They are the ones that cloud our judgement and push us into acting before we think.
I spoke about this in my session at the World Government Summit in Dubai last week. You can watch a recording of my talk here:
By developing (and teaching) an anti-phish mindset, we move away from a tactical response to social engineering and into a strategic response. We empower people to be more resilient and we undermine the tactics of cyber criminals. They will keep evolving their methods - for example, I've been predicting for a while now that they are likely to start using deepfake technology more and more.
We need to change the rules of the game and elevate our response, away from tactics and into strategy.
To find out more about our cyber security awareness-raising services, get in touch.
And to be the first to receive our blog posts, sign up to our mailing list.