Insights

Is it time to re-evaluate phishing education? 

When an estimated 90% of successful cyberattacks start with a phishing campaign, it’s critical that people are aware of, and alert to, the tactics used. To do this, organisations are placing increased emphasis on educating employees about phishing techniques, creating a first line of defence against these potentially harmful attacks.  

The traditional approach to phishing awareness and education focuses on identifying common “red flags,” such as poor spelling and grammar, and urgent requests for personal information. However, the success of these methods is becoming less effective when faced with increasingly sophisticated cyber threats.  

How are phishing threats adapting? 


Recently, cybercriminals have turned to Artificial Intelligence (AI) and particularly Large Language Models (LLM) to create more advanced attacks that can bypass conventional security measures. One area where these are having a significant impact is in the creation of phishing emails. 
 

These harmful messages are now intelligently crafted using AI algorithms, enabling cybercriminals to imitate the language, tone, and style of legitimate correspondence with remarkable accuracy. This level of imitation is so convincing that the old rule of “checking for spelling errors” is becoming far less reliable to spot phishing attempts. 

AI-Enhanced spear phishing 


Not only has AI made mass phishing attacks more accurate, it has also made spear phishing a lot more accessible.
Unlike mass phishing, spear phishing is targeted towards specific individuals or groups.  

Previously, executing a successful spear phishing attack required a significant amount of time, research, thought, and skill. However, AI has changed the game by enabling the rapid gathering of valuable information from the internet. It can even learn, and mimic, someone’s writing style with remarkable accuracy, as well as create realistic deepfake images and voices that can be used to deceive people.  

Imagine receiving an email that not only replicates your company’s internal language but also mentions your current projects and future appointments. Furthermore, deepfake videos can convincingly impersonate high-ranking executives, creating a cyberattack that’s almost indistinguishable from the real thing. 

Don’t think it could happen? It already is: 
https://gizmodo.com/deepfake-ai-scammer-money-wiring-china-1850461160 
‘Deepfake’ Martin Lewis Scam | Good Morning Britain 

New threats, new advice 


When it comes to avoiding phishing attacks, some advice still holds true. It’s still important to check the URLs, email addresses, and links in emails to make sure they’re from legitimate sources. Additionally, you always need to be cautious when opening attachments, even from sources you trust. These things may never change.
 

However, the evolving landscape mandates some new approaches be added: 

Manual Multi-Factor Authentication (MFA) 


In our pursuit of stronger cybersecurity practices, Multi-Factor Authentication (MFA) stands out as a vital and effective layer of protection against phishing attacks. While automated verification systems have their merits, relying solely on them is akin to leaving one’s front door unlocked and trusting in a security camera to deter burglars. The reality is that determined cybercriminals can often circumvent automated safeguards, making additional layers of security imperative.
 

MFA goes beyond the typical username and password combination, introducing an extra layer of verification. This multi-pronged approach significantly bolsters your defences, even when a malicious actor manages to acquire login credentials. 

However, the importance of MFA isn’t limited to authentication alone. It also ties into a critical aspect of combating phishing: verification. When you encounter an email that raises suspicions, the first instinct should not be to trust the automated “verified sender” label. Instead, take the initiative to cross-verify through known, trusted channels. 

For instance, if you receive an email requesting sensitive information, reach out to the supposed sender independently. Use a verified phone number obtained from a trusted source, like the organisation’s official website or a previous email. Avoid using any contact information provided within the suspicious message itself, as it could be manipulated by the attacker. 

In some cases, if the stakes are high, consider going the extra mile by arranging a face-to-face meeting. While not always feasible, this approach can provide an added layer of assurance, especially when dealing with critical matters. 

Rethinking cybersecurity & phishing education 


In the dynamic landscape of cybersecurity, where threats are continually evolving and cybercriminals are becoming increasingly sophisticated, the traditional one-size-fits-all approach to cybersecurity education has grown outdated. It’s now evident that relying on generic training, that treats all users and organisations as if they face identical threats, is not only ineffective but potentially detrimental to our overall security posture.
 

Gone are the days when hackers could be dismissed as mere amateurs who struggled with basic spelling and grammar. The modern threat landscape is populated by highly skilled individuals and organised groups who leverage advanced technologies and tactics to carry out their attacks. These adversaries are far from the stereotypical “script kiddies” or Nigerian Princes of the past. As such, clinging to outdated assumptions about the capabilities of cybercriminals is not just naïve but also dangerous. 

To truly enhance our cyber defences, it’s imperative that we re-evaluate our approach to cybersecurity education. This involves tailoring security policies and training programs to reflect the sophistication and adaptability of contemporary threats. Here are a few key aspects to consider: 

  • Customised Training Programs: Organisations should move away from generic cybersecurity training modules and instead develop customised programs that address their specific needs and vulnerabilities. Training should be designed to align with the unique risks faced by different departments and roles within the organisation. 
  • Realistic Simulations: Instead of relying solely on theoretical knowledge, cybersecurity training should incorporate realistic simulations of phishing and other cyberattacks. These simulations can help employees develop practical skills and experience in recognising and responding to threats. 
  • Continuous Learning: Cyber threats evolve rapidly, and so should our cybersecurity education efforts. Implementing a culture of continuous learning, where employees are encouraged to stay updated on emerging threats and best practices, is essential. 
  • Threat Intelligence Integration: Incorporating threat intelligence into training can provide valuable insights into the specific threats targeting an organisation. This data can help employees understand the evolving nature of cyber threats and adapt their behaviours accordingly. 

By embracing a more nuanced approach to cybersecurity education, we can better prepare individuals and organisations to confront the ever-evolving challenges posed by cyber threats. It’s not just about staying ahead of the curve; it’s about recognising that the curve itself is constantly shifting. Customised and proactive education is not just wise; it’s an essential step towards building a robust defence against the multifaceted threats of today’s digital world. 

A call for continuous adaptation 


It is abundantly clear that relying on outdated practices like scrutinising phishing emails for spelling errors is no longer a viable defence strategy. Similarly, the once-prevalent notion that regularly changing passwords provides robust security has been debunked by the relentless advance of technology and the increasing sophistication of cyber adversaries.
 

Today’s cybercriminals are armed with cutting-edge tools and techniques that can effectively sidestep conventional security measures. Their ability to craft convincing and highly targeted phishing emails, virtually indistinguishable from legitimate communication, demonstrates the pressing need for a shift in our cybersecurity approach. 

Our strategies and educational approaches must evolve in tandem with these ever-adapting threats. Cybersecurity is not a static endeavour but a dynamic field that necessitates continuous vigilance and adaptation. The effectiveness of our defences hinges on our ability to shift with the threats, embracing innovative technologies and methodologies that empower us to counteract emerging threats effectively. 

Looking for more than just a test provider?

Get in touch with our team and find out how our tailored services can provide you with the cybersecurity confidence you need.