Why Phishing Attacks Will Always be Successful
Quick Answer
Phishing attacks succeed because they exploit human psychology, not broken technology. Kevin Mitnick's classic exploits were phone calls to help desks, not zero-days. Social engineering rides on six principles Robert Cialdini identified in The Psychology of Persuasion: reciprocity, commitment and consistency, social proof, authority, liking, and scarcity. Awareness training reduces but cannot eliminate susceptibility to those levers, because anyone can have a bad moment. Technology cannot fully eliminate it either, but cloud-based email security with real-time link click protection cuts the success rate sharply by stopping the lure before it reaches the inbox and re-checking links at click time. The defense that actually works is awareness training plus a filtering layer that catches what humans miss.
Phishing attacks will always be successful because they’re not attacks on technology, they’re attacks on human nature.
As Danny Bradbury points out in SC Magazine, “Successful data breaches need not require expensive technology, massive deceptions, or even expertly faked credentials. Sometimes all it takes is a phone call to the help desk and a request for assistance logging in. You do not even have to be a legitimate user if you are convincing enough.”
That’s how the greatest hacker in history, Kevin Mitnick, accomplished most of his exploits. Not by brute forcing his way into computer systems, but by calling up companies and asking for help. People want to help those in need, and unfortunately, that leads to successful phishing attacks.
“Social engineering is one of the least expensive, most powerful tools in a hacker’s toolbox,” Mr. Bradbury points out. Social engineering relies on six principles, first identified by Robert Cialdini in his book, The Psychology of Persuasion:
- Reciprocity
- Commitment/consistency
- Social proof
- Authority
- Liking
- Scarcity
You can be sure, if a hacker targets you using social engineering they’ll be using one of these six principles. And phishing is the most prevalent use of social engineering.
Can phishing attacks leveraging social engineering be stopped? Not completely. It would be naïve to think that any amount of security awareness training can prevent every possible form of social engineering. After all, we’re human. But that doesn’t mean employees shouldn’t get awareness training.
Can technology alone protect us from social engineering? Not completely, but like awareness training, it’s better than not having it. In fact, the combination of awareness training and phishing prevention technology is a powerful defense force.
When you’re ready to incorporate awareness training into your phishing defense, there are plenty of options out there including the free, open-source phishing framework GoPhish.
When you’re ready to deploy our cloud-based email security with real-time phishing protection, It stops ransomware, blocks malicious websites and comes with real-time link click protection. There are no contracts to sign. It comes with a 30 day money back guarantee and you can be up and protected in 10 minutes.
Phishing attacks will always be successful. But you can take steps to drop their success rate down to next to nothing.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.