(Original version posted 2014/10/19)


We know that phishing, a form of social engineering or con game played on email game boards, is still growing as a problem. The Verizon Breach Report investigations continually reveal phishing as a main method and point of network entry in breaches. One should remember that, even though the success rate is very high, the bad guys will remain creative when it comes to finding new attack vectors.

Something important to note compared to just a year or two ago, is that ransomware has exploded. I believe I read or heard just recently, that about 93% of phishing emails and spam now embed ransomware type malware attacks. To learn more about the greatest cybercrime epidemic the industry has ever faced, see our Ransomware Ascending series.

For quite a few years, the prescription for phishing prevention has usually been security awareness training. Security awareness training been required by most standards and frameworks, and been around for some time. Due to the success of phishing and ransomware, this outcome begs the question of whether such training has been, or can ever be, effective enough.

Problem Scope

Articles like Phishers go after unprecedented breadth of targets  illustrated that phishing threats are now pervasive. Greg Aaron, President of Illumintel says,

“ If a site takes in personal data like passwords or credit card information, then phishers may want to exploit it….We’re seeing an unprecedented breadth of targets — cloud storage sites, utility companies, business service providers, and real estate brokerages.”

Everyone is now a target, even SMBs, due to ransomware.

Another post,  Employees Clueless About Social Engineering supports this notion somewhat, informing us that phishing emails are more complicated, spelling corrected and proof-read, and attacks multi-staged. However, the rest of this article is really about a poll pointing out that,

“...employees who are blissfully ignorant of the lengths criminals will take to gain their confidence in order to breach an organization’s security and steal proprietary data.

Plus, many users consider security issues such as malware and phishing, IT department issues. They may be just trying to get their job duties completed most of the time.

The Weakest Link Excuse


Source: MIT

The commonly held view by many IT and security folks, “users are the weakest link” and “blame the user”. Granted, some users are in a state of blissful ignorance when it comes to security risk. If this is the basis for the call for more training, what exactly will that training going up against and what should one’s expectations be, realistically? Can security awareness training deliver the complete solution? 

The Human Factor

At a  security event I attended a few years ago in Ottawa, panelist Peter Hammerschmidt said,

“ Cyber security is not just a technological issue. It’s a people issue. Even the best cyber policies in the world can be foiled by one wrong click. ”

Rahul Kashyap tells us here, that the flaw in so-called “People-Centric-Security” is that people aren’t perfect. (Hey, who knew?)

No matter how smart we all are, we will at some point make one mistake. Even if I’m the smartest person on the planet, I do end up making mistakes. And all it takes is one mistake, one click in one phishing email attachment, and with that one mistake my entire organization can get compromised, right? So the barrier for entry for attackers is actually pretty low because they’re relying on the fact even though they’re all the smartest of the smart individuals, all they need is one person to make a mistake.”


Was that a wask-al-ly wansomware?

Lance Cottrell wrote an interesting post 5 Myths: Why We Are All Data Security Risks, and one of his myths is…

“MYTH: I am smart enough to spot phishing attacks.”

He says,

I am absolutely sure that I could be tricked by a well-crafted spear phishing attack, and I am equally sure I could do the same to you.”

In his post No Solution to the Human Condition Tal Klein agrees, saying

This is good advice as we design defenses that take account of human gullibility, which affects even the world’s most senior military officials. Because no matter how clever we may be, there is no solution for the human condition.”

Indeed, I’ve read of security and IT folks being fooled by phishing attacks. The article Cyber threats: trends in phishing and spear phishing points out that

“ Sophisticated ‘spear phishing’ attacks can be hard to spot by the experts … What chance does this provide the average company or employee, let alone those who use computers infrequently?”

So if you are an IT or security person, it’s probably a mistake to listen to your lizard brain if it’s telling you “it will never happen to me“. You too, are a user.

CdMPg9EW8AA9_6ZWhich leads to a great post by Anup Ghosh, CEO of Invincea who points out another important myth in Three Most Common Myths in Enterprise Security. He gets it right in that users are simply doing what they are normally do.

He says,

“MYTH: We can train our users to not do “stupid” things.”

“ The popularity of security training is predicated on the myth that we can teach users to make the Internet a safer place, if only they won’t be, well, humans. And since this is Cyber Security Awareness Month, this makes me the bearer of bad news for all the CSAM people who think focusing on security this month will make our networks, oh so much more secure.”

“And better yet, victim blaming and shaming is all the rage. So rather than having to put in a security program that works, we can deflect by blaming the victim — users — for doing what comes natural — clicking on links and opening attachments — and in many cases is expected in their roles. “

In his post he featured a chart from Verizon illustrating that the odds of getting a user to click on a link as part of a phishing campaign approaches 100% asymptotically, as the number of emails (targeted users) reaches 17. I recall a Risky Business podcast a report where it was less than that, – only 10 phishing emails were required.

He continues with;

A security strategy based on training users to not click on links or opening attachments will fail.”

Users will click on links or an attachment. It is only a question of when.”

You must find a security solution that accounts for the fact that users will click on links and open attachments, because they will.”


Since the original version of this post, the phishing problem has worsened. It is a very successful vector, and it appears that the attackers have become more malicious and outcomes of attacks more serious. Whether your enterprise is providing security awareness training or one that is unfortunately, not doing so, it’s good to remember that it’s pretty darn hard to change human behaviour.


Authors note: I didn’t bother to find new articles for this post because the linked articles, even though a few years old, remain relevant.

Next post – PHISHING: Doomed to be a Phool? ——– >