Preventive countermeasures to phishing emails may actually increase the likelihood of employees falling for such scams, a new academic study reveals.
Protective controls, such as email proxy, anti-malware, and anti-phishing technologies, can give employees a false sense of security, causing them to drop their vigilance because they incorrectly assume such measures intercept all phishing emails before they reach their inbox, a study co-organised by the University of Sussex Business School reveals.
Employees’ sense of shame and fear of work colleagues’ disapproval were more effective deterrents from accessing phishing scams, the academics determined.
To protect themselves from costly phishing scams, companies should put all staff through continuous security training and educational programmes, experts at the University of Sussex Business School, and the University of Auckland recommend.
Phishing scams are responsible for almost one in three data breaches and the cost of ransomware to businesses is estimated at over $8 billion globally.
Dr. Mona Rashidirad, Lecturer in Strategy and Marketing at the University of Sussex Business School, said: “Security safeguards alone will not protect a company from phishing scams. Organizations and individuals substantially invest in security safeguards to protect the integrity, availability, and confidentiality of information assets.
However, our study supports the findings of recent studies that these safeguards are not adequate to provide the ultimate protection of sensitive and confidential information.
“Protective and detective tools use machine learning, anomaly detection, text mining, and profile matching to combat the threat of phishing emails but cybercriminals design these scams to bypass technological controls and exploit human cognitive biases.
Technical countermeasures such as anti-phishing and spamming tools, email malware detection, and data loss prevention still often require human intervention to analyze and distinguish between phishing and legitimate emails.
“To prevent phishing attacks, a well-designed continuous security training and educational program, incorporating phishing simulation exercises and embedded training for vulnerable employees, needs to be established and enforced in organizations.”
Following a survey of employees, the researchers developed a theoretical model of factors that influence users in the clicking of phishing emails from a socio-technical perspective exploring employees’ responses to or avoidance of the threat posed by the scam.
Applying the Theory of Planned Behaviour (TPB), the research team hypothesized that an employee’s intention toward clicking on phishing emails is influenced most strongly by how their response would be perceived by managers and colleges, the employee’s self-assessment on how they can cope with the threat and their personal attitude toward compliance.
The researchers identified a range of individual, organizational and technological factors that could explain employees’ failure to follow compliance with email security policy and liability to fall for phishing attacks.
This vulnerability to phishing scams did not vary significantly when considering an employee’s age, gender, or education, the study reveals.
Employees’ clicking on phishing emails was often an irrational act triggered by habit and automatic behaviour tendencies developed through a history of using email on a daily basis, the study said.
The authors determined informing staff about procedural countermeasures, including information security standards, policies, and guidelines, does increase security awareness among employees but are not sufficient by themselves to invoke behavioural change in employees dealing with phishing emails.
Effective staff training should inform employees what security measures their employer already has in place but also what security risks remain that could be exploited by malicious attackers, the academics conclude.
Hamidreza Shahbaznezhad, Senior Data Scientist in Industry at the University of Auckland, said: “Although technical countermeasures such as anti-phishing and spamming tools, email malware detection and data loss prevention are deployed to mitigate the risk of phishing attacks, using these technologies to detect phishing attacks remains a challenging problem.
This is not least because they often require human intervention to analyse and distinguish between phishing and legitimate emails.
Farzan Kolini, Ph.D. Candidate at the University of Auckland, said: “Preventive countermeasures such as anti-phishing tools and email proxy have a pivotal role in detecting phishing email, as phishing attacks have become more sophisticated to bypass privative security countermeasures. Hence, it is incumbent on employees to apply additional due-diligence to investigate any suspicious emails.”
More about Irish Tech News and Business Showcase here.
FYI the ROI for you is => Irish Tech News now gets over 1.5 million monthly views, and up to 900k monthly unique visitors, from over 160 countries. We have over 860,000 relevant followers on Twitter on our various accounts & were recently described as Ireland’s leading online tech news site and Ireland’s answer to TechCrunch, so we can offer you a good audience!
Since introducing desktop notifications a short time ago, which notify readers directly in their browser of new articles being published, over 50,000 people have now signed up to receive them ensuring they are instantly kept up to date on all our latest content.
Desktop notifications offer a unique method of serving content directly to verified readers and bypass the issue of content getting lost in people’s crowded news feeds.
Drop us a line if you want to be featured, guest post, suggest a possible interview or just let us know what you would like to see more of in our future articles. We’re always open to new and interesting suggestions for informative and different articles. Contact us, by email, twitter or whatever social media works for you and hopefully, we can share your story too and reach our global audience. We are agile, responsive, quick and talented, we look forward to working with you!
If you would like to have your company featured in the Irish Tech News Business Showcase, get in contact with us at Simon@IrishTechNews.ie or on Twitter: @SimonCocking
Dublin-based IT services and consulting company Origina today announced a significant expansion of its operations in…
Tata Consultancy Services (TCS), a leading global IT services, consulting, and business solutions company, operating…
A new international study has proposed an operational strategy to advance the Digital Twin of…
Irish game developers’ ability to punch above their weight in the competitive international games industry,…
Leading hiring platform IrishJobs has today published new data that reveals professionals in the IT…
Global law firm DLA Piper has today published the eighth edition of its annual GDPR…
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at Simon@IrishTechNews.ie now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at Info@IrishTechNews.ie now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.