Social engineering causes people to drop their cognitive defenses.
Social engineering causes people to drop their cognitive defenses.

Because of this basic human flaw, the overriding opinion is that defending against phishing and spearphishing campaigns by teaching employees not to click on what appears to be an official company email is as hard as getting the idea through their heads that using a USB drive found in the street is a bad idea, or even that betting on the New York Jets to win the Super Bowl is a mistake. Every time, just don't do it.

This is why even people with a great deal of “street smarts” can fall victim to these scams. 

“Everyone has a trigger,” Lamberg (left) notes. “This is not a technology problem, but a people problem.” As an entity most of us are trusting, he says, adding that training can somewhat offset our innate desire to help others.

To reinforce this message and influence future behavior and, of course, thwart future attacks, OpenLink uses training methods that include phishing its own employees to accomplish several tasks, Lamberg says. One is building in a healthy dose of skepticism into each worker when it comes to dealing with cyber issues, while the other is to simply get the staffer to pause for a few seconds before they act on an email.

As a result, the company has reduced the number of successful attacks by five percent, he says. 

“Training needs to be interactive,” says Wallace. “Immerse the workers in a [training] scenario where they receive a phishing attack.” But she was less certain that mock phishing attacks conducted by the company would generate the results desired.

However, she agreed a person might learn after being victimized by their own company, although there might be a side effect: “They also may become less trusting of their corporate environment.”

If the training fails, then additional steps may need to be taken to get through to workers who, for whatever reason, just cannot seem to get the hang of scrutinizing emails and thus constantly open the door to cybercriminals by downloading malware or sending off valuable information. This can include taking this negative behavior into account when conducting performance evaluations, says Wallace (right). 

“People have to learn to take this seriously,” Lamberg says. However, he notes that OpenLink has not incorporated any type of punishment for poor cyber hygiene hoping to keep the atmosphere surrounding the problem positive.

Part of keeping an upbeat outlook is not feeling any shame in being victimized, says Andy Feit, head of threat prevention marketing at Check Point Software Technologies, a Carlos, Calif.-based security vendor. “Hackers are doing a lot of work to get the emails correct.”

Simply because it is so hard to change human behavior, some IT security firms are looking for a technological approach even though developing such a tool has often been derided as impossible. “I'm a contrarian,” says Vidur Apparao (left), CTO at Agari, a San Mateo, Calif.-based email security vendor. “I absolutely think we can stop them. It's an indictment of our industry that the best methods are not technology based.”

Shalabh Mohan, vice president of product and marketing at Area 1, a Redwood City, Calif.-based firm that offers products to eliminate targeted, socially engineered cyber attacks,

does not go so far as to say a technology-based solution will work, but he is fairly confident socially engineered phishing attacks can be stopped.

“I agree that humans are extremely gullible and that is why these attacks get through,” Mohan says. “It's easy to keep changing the social hook, so instead we want to go out and stop the attack

In each case the company is not looking at the email's payload, or how the email is worded, but at other extraneous factors.

In Agari's case, the defense relies on deciding whether or not an email sent to a specific person is normal. If the previous 90 emails that were sent between two people at the same company always used the same server, how come this last one came from another place?

“We look at security in a different way,” Apparao says. “We want to build a platform that models email traffic. This way we can tell the good from the bad based on history.”