Perhaps you heard the news that Google has introduced a new Chrome feature that is designed to protect users from phishing attacks. According to SC Magazine UK, the extension is called Password Alert and is meant to warn users if they are typing their password on an unsecure website:
When detecting a fake login page or an unverified site, Password Alert will give users the option to immediately change their passwords in efforts to mitigate potentially compromised accounts.
However, PC World warns that there are some problems with the recently released Google Password Alert, stating that security pros (and you know this also means malware developers) are finding ways to bypass Google’s anti-phishing protection.
I mention all of this not just because having anti-phishing protection on our browsers is important news (it certainly is!), and not just because we’re already seeing the flaws in such protection, but rather to highlight that after all these years, phishing is still a huge security problem.
I went to a session at RSA entitled “Phishing Dark Waters.” It was all about the dangers of phishing scams and how to defend your network against them. What I learned is that despite being better informed about how phishing scams work, people are still falling for them. There are three basic and very simple reasons why:
- Phishing scams play to our base emotions.
- Phishing scams ignite our natural curiosity (admit it; even though you know you shouldn’t, you want to open up some emails because their subject headings are too delicious to ignore).
- We are busy and aren’t paying attention. Spear phishing scams in particular are so good at deception that even the most security-centric person can make a mistake because he or she is in a hurry. Hopefully something at the last second will kick in – i.e., realizing that your PayPal account uses a different email or the package you were expecting was sent by FedEx, not UPS – before reflexively clicking on the link.
The scammers know this and they will continue to use phishing scams to prey on users, especially considering that about a quarter of phishing emails are opened and a tenth of us will even open an attachment or click on the link.
So what can be done to lessen the problem of phishing scams? Applications like Password Alert, when the bugs are fixed, will certainly help. But it really comes down to education. Teaching users to recognize a phishing scam should be done on a regular basis – regular being monthly or quarterly. Once a year security training sessions simply don’t work anymore. It helps, too, to make users more invested in the damage. If they know that their information is at risk, as well as company data, they may have second thoughts on opening a potential scam email. C-level executives and decision makers also need to be on board with improved educational efforts—they should be reminded that just because the word “chief” or “VP” is in their title, they aren’t immune to being caught in a phishing scam. But perhaps most importantly, remember that no one is perfect and mistakes are going to happen. A defense plan needs to be in place for those accidents. Overall, it is more important that users understand the damage that can be caused by a single phishing email and have improved knowledge on how to recognize a scam versus a real email.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.