Why Most Phishing Prevention Advice Falls Short
Quick Answer
Most phishing prevention advice tells people to be more careful: train users, watch the bank, double-check sender addresses, set BEC contingency plans, build manual controls. The advice is not wrong, but it is incomplete because it puts the entire defense on humans. If awareness alone could stop phishing, BEC would not still dominate the FBI IC3 report. The missing layer is cloud-based email security with real-time link click protection: messages are rerouted through a filtering service that scans content and follows links to their final destination before delivery, so phishing mail never lands in the inbox. Awareness training plus a filtering layer with click-time URL inspection covers both the human and the technical attack surface, which is what serious phishing prevention requires.
Phishing attacks are everywhere, and so is advice for how to prevent them. None of the advice offered is wrong, it’s just woefully incomplete.
A recent article on the Security Week website, Business Email Compromise Still Reigns, discusses the FBI’s annual Internet Crime Complaints Center (IC3) report and why business email compromise (BEC)—a type a phishing attack—is so prevalent.
The article then goes on to offer advice on ways to mitigate BEC attacks. It includes the following:
- Update security awareness training
- Develop BEC contingency plans
- Build in manual controls
- Monitor for exposed credentials
- Conduct ongoing assessments
- Set limits for third parties
Notice anything missing?
Another article on the PC Buyer’s Guide website, Most Common Phishing Scams and What You Can Do to Avoid Them, also offers some suggestions. These include “make sure to double check emails from your bank” and be cautious when “posting personal information and updates on social media.”
Figured out what’s missing yet?
All this advice offered by these well-meaning resources depends on one thing: people. People need to be more aware, people need to be more cautious, people need to be better trained, people need better procedures.
There’s just one problem with this line of thinking. If people could prevent phishing attacks, phishing attacks would have ceased long ago. But they haven’t. Instead, they continue to grow. Perhaps it’s time to find some new advice.
So, what is missing from the list? How about cloud-based email security with real-time link click protection.
The best way to prevent BEC and every other form of phishing is to keep the threatening email out of your inbox in the first place. Cloud-based email security reroutes emails, destined for your inbox, to their premises where it scans each email for malicious content and links, before sending it on to you. Detected phishing emails are blocked or quarantined.
Why do these advice articles not include this information? This technology is readily available, fast to deploy and inexpensive.
Want some better phishing prevention advice? Head on over to cloud-based email security with real-time link click protection risk-free for 30 days.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.