Phishing is still the most common way for cyber attackers to gain entry into networks – whether for financial gain or espionage, ZDNet reports.
Phishing is a fraudulent attempt to obtain sensitive information by disguising oneself as a legit institution or person in an email, phone call, or text message. It usually starts with a message designed to make the target click a link or flat out reveal sensitive information about themselves or the company they’re working for.
However, experts believe that blaming the victims rarely solves anything as emails can now be so highly tailored and therefore almost impossible to recognize.
“We need to remember that not every employee has been hired as a security professional – security isn’t in every employee’s job description,” Tim Sadler, chief executive officer of email security provider Tessian, told ZDNet.
Sadler explained how easy it is to track down what companies’ email addresses look like – allowing the cyber attacker to impersonate someone in authority and use it to target employees after tracking them down on social media sites.
“When people send spear-phishing emails, they’re taking on the persona or identity of a trusted person. That personalization makes it highly effective in terms of getting the target to comply with the request, pay the invoice, do what they need to do,” he said.
Amanda Widdowson, cybersecurity champion for the Chartered Institute of Ergonomics & Human Factors and human factors capability lead for Thales Cyber & Consulting, advised organizations to understand their employees’ jobs and what they need to do to ensure that their security policies will allow the employees to do their jobs not only reasonably but safely and securely.
She added that the only way phishing can be solved for good is by creating email and cybersecurity policies focused on the needs of the users and building software that automatically detects suspicious emails – emphasizing that improving technology is more productive and therefore more important than simply blaming the victims.
“Ultimately, people are just trying to do their jobs and cybersecurity incidents are caused unintentionally – people aren’t malicious in most cases,” Widdowson told ZDNet.