Phishing attacks will always be successful because they’re not attacks on technology, they’re attacks on human nature.
As Danny Bradbury points out in SC Magazine, “Successful data breaches need not require expensive technology, massive deceptions, or even expertly faked credentials. Sometimes all it takes is a phone call to the help desk and a request for assistance logging in. You do not even have to be a legitimate user if you are convincing enough.”
That’s how the greatest hacker in history, Kevin Mitnick, accomplished most of his exploits. Not by brute forcing his way into computer systems, but by calling up companies and asking for help. People want to help those in need, and unfortunately, that leads to successful phishing attacks.
“Social engineering is one of the least expensive, most powerful tools in a hacker’s toolbox,” Mr. Bradbury points out. Social engineering relies on six principles, first identified by Robert Cialdini in his book, The Psychology of Persuasion:
- Reciprocity
- Commitment/consistency
- Social proof
- Authority
- Liking
- Scarcity
You can be sure, if a hacker targets you using social engineering they’ll be using one of these six principles. And phishing is the most prevalent use of social engineering.
Can phishing attacks leveraging social engineering be stopped? Not completely. It would be naïve to think that any amount of security awareness training can prevent every possible form of social engineering. After all, we’re human. But that doesn’t mean employees shouldn’t get awareness training.
Can technology alone protect us from social engineering? Not completely, but like awareness training, it’s better than not having it. In fact, the combination of awareness training and phishing prevention technology is a powerful defense force.
When you’re ready to incorporate awareness training into your phishing defense, there are plenty of options out there including the free, open-source phishing framework GoPhish.
When you’re ready to deploy our cloud-based email security with real-time phishing protection, It stops ransomware, blocks malicious websites and comes with real-time link click protection. There are no contracts to sign. It comes with a 30 day money back guarantee and you can be up and protected in 10 minutes.
Phishing attacks will always be successful. But you can take steps to drop their success rate down to next to nothing.