Why does Phishing work?
Phishing attacks work because we’re human. That sounds crazy. But it’s also true. Humans make mistakes.
There’s something to it - cybercriminals continue using the exact same medium (i.e. email), we know they’re coming, yet it keeps working.
You constantly hear about new attacks, and get this - regardless of how simple or complex an attack is, nearly every single one starts with a simple Phishing email.
We know all this, so it should be avoidable, right? If only…
The originality and creativity of successful cybercriminals isn’t in the delivery medium (i.e. email). That’s standard. The difference comes into play in the timing, content and appearance of the actual Phishing emails.
And here’s where the human part comes in…
Humans are emotional beings.
We get stressed.
We get excited.
We get anxious.
We get tipsy. (Don’t try me - I know you’ve checked your email at happy hour!)
The list goes on…
And in each one of these different situations, we can react differently.
When you’re sitting in your office and just took your latest cybersecurity training, you’re probably hyper-aware of a potential Phishing email.
When you’re working from home with kids shouting and the phone ringing, you may stumble over that exact same Phish.
Let’s take a look at how Phishing stacks up against defenses:
Phishing vs Spam Filters:
- It takes just one successful Phish to gain entry
- Anyone can send thousands of emails in seconds
- It costs nearly nothing to send a Phishing email
Even if your Spam Filter stops 99.99% of attacks, attackers simply send a few million emails (yes, very possible). Out of a million, 0.01% still adds up to hundreds of Phishing emails landing in your team’s inboxes!
Sidebar: This is not a knock on spam filters. Quality spam filters are a must! Just be aware that they can’t stop everything.
Phishing vs Psychology:
Getting Phishing victims to click on emails is a battle of the wits. The best Phishing emails come from the real-world. They look like normal emails we see every day. Why wouldn’t they? It’s WAY easier for a cybercriminal to copy that UPS delivery notice than to create something from scratch. Remember that whole copy and paste function!
Hackers will keep experimenting until they find the Phish that hooks someone on your team. And recall from above, it’s really easy to send a lot of Phishing emails!
This is exactly why organizations implement Security Awareness Training programs with regular Phishing simulations. Trained employees are wildly more successful in avoiding Phishing attacks - saving your behinds from legal, financial and reputational losses.
Phishing vs Law Enforcement
When a bank robber fails, they’re swiftly sent off to prison. In prison, it’s much harder to hone your bank robbing skills.
No so with Phishing. It’s still illegal, but Phishing emails can be sent from anywhere in the world. So pick your favorite location without a US extradition treaty and begin the practice. Practice makes perfect, right?
In the physical world, you better get that attack right the first time.
In the digital world, a failed attack is simply practice for the next.
So what makes Phishing work so well?
- It’s cheap to send lots of emails.
- There’s little to no legal risk in getting discovered.
- Untrained employees exist everywhere.
Against untrained and unprepared employees, a successful Phishing attack is just a matter of time.
Your employees play a critical role in protecting your organization.
Shouldn’t Security Awareness Training be a critical piece of your security culture?
Are you ready to take action?
We make it easy to Train your team effectively and easily. Find out how to protect your team with INFIMA's Automated Security Awareness platform.
Start with a quick demo - hit us up