Why User Training Fails to Stop Phishing and Ransomware

I have concluded that anti-phishing user awareness training and testing do not stop successful phishing attacks or ransomware infections. Phishing targets human fallibility and we cannot train humans to never fail. I’m sure that some may have a different viewpoint, so I’m going to explain how I came to this conclusion and discuss ways we might better protect ourselves.

Ransomware and other attacks involving malicious code continue to increase both in sophistication and frequency. A common way that ransomware and other malware get into our systems is through phishing. Phishing is when attackers send targets a fake message that looks legitimate via e-mail, social media or texting with links or attachments that if a target clicks on them, can infect the victim’s endpoint with malicious code. Once one endpoint is infected, the malicious code can spread to other parts of the enterprise resulting in data breaches, ransomware, or other types of damage.

A successful phishing attack can lead to damaging ransomware attacks and data breaches

There are also phishing attacks that take the victim to a web site they have set up that tries to get that person to enter a password, credit card number, banking information or other sensitive information. Those attacks are also troubling, but I worry more about endpoints and networks becoming infected with ransomware and malware.

My “Ah Ha” Moment

A few years ago, when I was serving as a CEO, I received an e-mail message that looked like it came from my CFO with a request and link to click on. His e-mail address looked correct. However, I noticed that the e-mail called me Robert when my CFO always called me Rob. Suspicious, I dug a bit deeper into the information about where the e-mail really came from and saw that it was a phishing attack and that clicking the link could have led to malicious code infecting my endpoint and from there perhaps our network.

Would I really be 100% successful at detecting all phishing attacks—forever?

This got me thinking. Even though I am a long-time cybersecurity professional, would an attack that used my nickname have been successful? Even more thought-provoking, given the number of requests and e-mails I plow through every day, would I really be 100% successful at detecting all phishing attacks? Despite pride in my cybersecurity knowledge, after a bit of introspection I realized that 100% success, forever, was highly unlikely, and without luck, failure was inevitable.

Why Anti-Phishing User Training and Testing Doesn’t Work

While I strongly believe in user security awareness training in general and on-going training, education, and certifications for IT, cybersecurity and other professionals, I have concluded that any program trying to train users to accurately detect all phishing attacks will fail. Even IT and cybersecurity professionals will sometimes fail to detect sophisticated phishing attacks. By using artificial intelligence or doing background investigations on their victims, today’s attackers can generate targeted phishing attacks that are nearly impossible for humans to detect consistently—especially if we also plan on actually getting any work done during the day.

Nevertheless, many organizations spend time and money trying to train users to manually detect phishing attacks. Often organizations will run a test by sending out fake phishing attacks in e-mails or even social media to employees to see if somebody will click on any of the links or attachments. Unless there are only a handful of users in the test, these tests always find some people that fail.

There will always be some people who fail to detect phishing

This results in an interesting conundrum. Do you punish the failing employees? Force them to take more training? Put a black mark in their personnel file? Put them on probation? Terminate their employment??None of these are great choices, especially when enterprises are already struggling to find and retain talent.

These failing users probably include highly productive employees and management. So, do you really want to punish hardworking employees? And, yes, forcing them to take remedial anti-phishing training is a punishment no matter how much you try to sugar coat it.

You know that next time you run the test, some employees who previously passed will fail. In fact, you probably already know that a significant percentage will fail—unless your test does not match the sophistication of today’s attackers (which is not a real-world test). Terranova’s 2021 phishing benchmark test showed that 19.8% of users failed. The stakes are high. A single person failing to detect a live phishing attack could result in dangerous malware or ransomware infecting the organization, potentially bringing an enterprise to its knees, and causing tremendous damage.

A single successful phishing attack can cause tremendous damage

So, you need to have 100% of users pass a strong real-world phishing test, every time, to be certain that your organization will not fall victim to a phishing attack and by extension ransomware. Since that goal is impossible (even 99.9% looks impossible), why continue anti-phishing user training and testing programs? I suggest that it would be better to first spend your time and money implementing things that can succeed.

What Works Better than Anti-Phishing Training

While anti-phishing user training may help reduce the number of successful simplistic phishing attacks, there are technologies that can easily do better. In fact, there are technologies that are very successful at stopping the sophisticated phishing attacks as well. Before spending more time and money on a program that won’t protect you, why not look at some technologies that do?

Technology is already far better at stopping phishing attacks than trained users

Most enterprises implement Endpoint Protection which includes malware detection and prevention. No malware detection technology is 100% successful—some malware can get through. However, many attackers are well backed financially (some by organized crime or a nation state) and will often test their attacks against all the major endpoint protection products on the market. This makes a successful attack against a targeted victim more likely. So traditional endpoint protection, while important and useful, is not enough to stop all phishing attacks.

E-mail Security technologies scan e-mails for potential malicious attachments, links and other tell-tale signs that a message might be dangerous. When it finds suspicious ones, it blocks them or marks them as suspicious. I recommend using these technologies, but they suffer from the same drawbacks as endpoint protection’s anti-virus detection. No e-mail scanning technology is 100% accurate at detecting and blocking malware. In addition, there are sometimes false positives that block legitimate messages. Moreover, attackers often test their malicious attacks against e-mail security technology as well. Some organizations may attempt to block all attachments and links, but this can seriously impede productivity and cause employees to find alternate ways to directly connect to the Internet for e-mail, such as through the cellular network.

Despite the shortcomings with endpoint protection and e-mail security, I recommend implementing both if you haven’t already like most enterprises. Properly configured, these technologies will do a better job than human beings trying to detect phishing messages. In addition, I strongly recommend implementing some additional technologies that you may not have, Web Isolation and App Trust-Listing.

Web Isolation or remote browser isolation separates the browsing session from the user by doing the actual browsing on a remote server session either in the cloud or on premise. Strong, non-porous web isolation can ensure that when a user is using a browser, including when reading e-mail or social media, that any code from that session is only executed on the remote server session, not on the user’s endpoint. This includes any browsed e-mail links, attachments, or social media links—effectively blocking phishing attempts from infecting users’ endpoints. Non-porous web isolation solutions transform the browsing content and code on the remote session into a safe video stream of pixels with no code and, therefore, no malware, transmitted to the user’s endpoint.

App Trust-Listing is akin to traditional whitelisting, but is more robust and easier to manage. It ensures that only known good code that is in the list of trusted apps can execute. So, if malicious code arrives on an endpoint system (e.g., desktop, mobile device, server, etc.), it won’t execute since it is not in the list of trusted apps.

Attackers have sometimes successfully stolen legitimate private keys for code signing to use with malware, such as in the recent case with NVIDIA and many others. So, if only certificates are used for determining if software is on the known good list to trust, attackers could create malware that is signed with a valid certificate that is on the list. To combat this risk, I recommend using an app trust-listing solution that has multiple methods in addition to certificate checks to determine if the code can be trusted. Strong web isolation also protects against phishing attacks that have malware with a legitimate certificate. Also, end point protection and e-mail security may offer some protection in such cases.

Conclusion

Phishing works because the attacker only needs one person in your enterprise to fall victim to it. User training and testing can help with human fallibility, but cannot eliminate it. Today’s increasingly sophisticated attacks make it even more likely that people will fail to detect phishing messages. Endpoint protection, e-mail security and other technologies easily out-perform anti-phishing user training and testing. Additional technologies like web isolation and app trust-listing can eliminate nearly all the risk of infection from phishing attacks. While technology also has pros and cons, we have already reached the point where it is far superior to humans at stopping phishing attacks.