Researchers at the University of Plymouth recently demonstrated that a vast majority of phishing emails, whether they contain internal links or not, make it past email filters of leading email service providers, thereby leaving end users vulnerable to social engineering attacks.
In order to measure the effectiveness of email services in blocking phishing emails, researchers at the university's Centre for Security, Communications and Network (CSCAN) Research recently created a number of phishing emails by using content from archives of reported phishing attacks and sent these emails to specific email addresses.
The researchers also inserted web links in some of these emails in order to measure how effective email filters are in detecting phishing emails that may contain suspicious or malicious links.
To their surprise, the researchers found that as many as 75 percent of phishing emails (without links) and 64 percent of emails with links made it to users' inboxes without being blocked by email filters. The filters also labelled only 6 percent of the sent emails as malicious, indicating why phishing attacks are so popular among malicious actors.
"The poor performance of most providers implies they either do not employ filtering based on language content, or that it is inadequate to protect users. Given users’ tendency to perform poorly at identifying malicious messages this is a worrying outcome," noted Professor Steven Furnell, leader of CSCAN.
"The results suggest an opportunity to improve phishing detection in general, but the technology as it stands cannot be relied upon to provide anything other than a small contribution in this context," he added.
Commenting on the research findings, Stu Sjouwerman, founder and CEO of KnowBe4, said that instead of relying on email filters to defend against phishing emails, users need to be provided regular and ongoing security awareness training so that they can identify malicious or suspicious emails and know what steps to take to report and block them.
Regular training reduces users' vulnerability to phishing emails
A study carried out by KnowBe4 in June showed that imparting dedicated cyber security training to employees for prolonged periods goes a long way in helping them to detect and to respond to phishing attacks and social engineering tactics.
Based on the results of the study, KnowBe4 recommended that organisations should conduct baseline tests to assess Phish-prone percentage (PPP) of their employees and accumulate necessary data to measure future success, that they should conduct on-demand, interactive, and engaging computer-based training instead of using old-style PowerPoint slides, should carry out social engineering tests at least once a month, and keep measuring results with a goal to reduce PPP to zero.
"People are susceptible to phishing because these attacks exploit basic human nature, like curiosity and pride. Organisations would be wise to ensure that their users know about the potential dangers of clicking links and opening attachments in emails.
"Beyond user training, however, organisations should also monitor user and entity behavior to identify anomalous and suspicious actions. Machine learning algorithms can compare current behavior to previously baselined behavior. Behavior analytics provides the data to identify trends and spot outliers, so you can quickly remediate threats. The behavior is the tell. And, in this case, the behavior of the compromised account would be suspicious and would have been flagged as risky and anomalous by behavioral analytics," said Craig Cooper, COO of Gurucul.