Categories
Phishing Scams Support

Why your advice to spot phishing isn’t working

As an occasional mouthpiece for a global cybersecurity company, I was regularly called on to give advice to businesses on how to spot and stop phishing attacks. 

My advice was always simple, clear, helpful… and unfortunately dated. 

You see, as cybersecurity vendors, even as recently as two or three years ago, we were particularly focused on providing desktop protection. Securing mobile phones and tablets was a relatively new problem for our enterprise customers, and phishing was very much seen as a desktop problem. 

So the advice for end users around spotting and stopping phishing attacks on your desktop PC or laptop invariably centered around “hover over a link before clicking on it to see where it leads, and if it looks phishy, don’t click it.” 

Like I said, simple, clear and helpful…

The problem is, most employees now have access to their work emails or cloud drive on their mobile phone. Employees demand this flexibility; security teams demand 2FA, where the mobile device is often the ‘second factor’; and the organisation demands productivity. Mobile device usage for work purposes is a boon for everyone. 

But as the number of attempted phishing attacks via email rise, a huge 91%, according to a report from FireEye, so does the likelihood of employees opening those emails on a mobile device.  In fact, in Gartner’s 2019 guide to mobile threat defence they found that business users increasingly fall victim to phishing on their mobile devices.

The human-actionable defences against phishing that we take for granted on a desktop aren’t available on a mobile. You can’t hover over the link to see where it goes. Often there’s more going on around you so your attention is elsewhere, and if you click the link the website’s address is tucked away to give the web page as much of the limited space as possible. 

It’s this combination that means phishing links are clicked more often on a mobile device, whether in our work or personal lives. In fact, as the technological boundaries between our own personal and professional lives blur we’re seeing phishing attacks carried out through novel platforms, such as Linkedin and WhatsApp, as well as the usual email and SMS. Who amongst your workforce would be expecting to see a phishing link while looking through their Linkedin messages?!

According to FAU researchers, 78% of people claim to be aware of the risks of unknown links in emails. And yet they click anyway.

As most of you reading this who work in a cybersecurity team will know, budgets need to be stretched to protect the whole vulnerable organisation, and you can’t realistically shore up defences against every potential attack. You need to pick your battles, usually based on which threats your organisation has encountered before, which are more prevalent in your sector, which are most likely to cause the most financial and reputational damage…

Phishing is one of the most serious cyberthreats organisations are currently tackling and $1.8 billion has been lost to business email compromise. For the safety of the organisation, to protect confidential data and guard against data loss, credential theft, ransomware, malware and social engineering, businesses are demanding better phishing protection for employees on all their devices. 

According to Google Safe Browsing, since 2016, phishing has replaced malware as the leading type of unsafe website. While there were once twice as many malware sites as phishing sites, there are now nearly 75 times as many phishing sites as there are malware sites.

Better phishing detection for mobile devices

It’s for these reasons and more that at Traced we’ve introduced a new technology to spot phishing links on mobile devices. This new technology uses natural language processing to analyse any links you click on to spot whether the language in that link looks similar to that of language used in known phishing links. So far this technology provides a 99.5% accuracy and is likely to improve as the training of the model is refined. 

So if your organisation needs protection from phishing, download the free app for iOS or Android. Within 5 minutes, you’ll see how easy it is to protect mobile devices from malware, compromised WiFi networks, and, yes, phishing. 

Imagine if everyone in your organisation had that level of security on their personal phones and tablets. Using Traced Control, our Mobile Threat Defence solution, you can see the risk status of every enrolled device, helping you to comply with regulations around data security in a very simple and cost-effective way.