Solving phishing is not simple - can anti-phishing training make it even worse?

Can phishing precautions and training cause harm? It turns out this may be true in many cases.

Phishing is the act of gaining a victim's confidence to convince them to engage in self-harming activities, for example leading to self-hacking their systems, parting with money, or data. Or of their peers, or their employers, etc. It’s a form of social engineering. When using internet communication such as instant messengers or e-mails, it can be highly effective. Phishing is very often the entry point to the target organisation with malware. Considering that there may be hundreds or thousands of employees, it may be highly effective even if only a single person is needed to fall for the trap.

It’s also somewhat a cognitive attack against humans. To fight it, some defences are often putting a toll on the user's mental state. The “simple” demands to “be careful”, or to “not click on suspicious links” (users tend not to click on links that are suspicious to them), all introduce extra friction in one's work. The fact is that much of computerised work revolves around clicking on stuff. Clicking is inevitable. So saying that one should not click on stuff is not that helpful.

Phishing trainings...

To aid in this process, many companies engage external trainers or specialised firms. This may deliver mixed results, depending on who’s engaged. Some companies also introduce phishing exercises, or “audits”, where the employees are being “tested”. In some cases, such tests deliver pretty miserable results. Especially harmful effects may happen when the employees are being ridiculed or called out for falling for a phishing attempt. This simply does not work. It may even harm the productivity of a company.

Now it turns out that some of the “solutions” may be useless, as established by this very insightful research, performed in a real environment of a medium-sized organisation, for a long duration (15 months). This is probably the most comprehensive phishing study to date. The most damning part of the findings are these: “...embedded phishing training, as commonly used in the industry today, can lead to unexpected side effects and even be detrimental …”.

So it turns out that a lot of anti-phishing hand-waving done today is not only ineffective. It may even be harmful. If you’re not worried yet then there’s more:

“we found that the combination of simulated phishing exercises and voluntary embedded training (i.e., employees were not required to complete the training) not only failed to improve employee’s phishing resilience, but it actually even the made employees more susceptible to phishing. … Instead, such a training method may cause unexpected and negative side effects, such as increased susceptibility to phishing. This finding is significant because the tested phishing training delivery method is a common industry practice“.

Now, why would an organisation want to engage in anti-phishing in ways to make the problem even more serious?

There are many reports of phishing training gone bad (e.g. here). The UK NSC appreciates the risks of phishing its employees. Perhaps some organisations want to do a shortcut in “doing something”. The gained result will also be “something”.

What works?

Email warnings: after the detection of a campaign, letting know to employees that something is wrong and that they should be extra careful.

Coordinated and crowd-sourced submissions: simple infrastructure for submitting “suspected phishing emails” can be highly effective. This can be as simple as having a button in the email program that could easily submit a “suspected phishing”. Such messages should then be inspected either by internal or external handlers, then acting accordingly if it’s phishing. Of special note is that this method may uncover new phishing campaigns, so not be entirely reactive.

Summary

Phishing is a big risk. Solving it is difficult but we should disregard the ritual calls for “more education…” or “more awareness…”. The naive ways of training may be harmful. Even if they may be profitable to companies offering phishing training.

What works best is to accept that phishing is a cognitive attack. As such it can be highly effective. Some “precautions” can also backfire and put a significant mental toll/stress on the users. Active solutions such as crowd-sourced analysis are one possible way forward.

What does not work is shaming the users. Instead of fighting phishing, one may inadvertently destroy trust in the organisation. And then not only phishing is not “solved”, but there are also new self-caused problems to handle.