Start Now

Published

- 9 min read

Science demonstrates the ineffectiveness of common anti-phishing methods

img of Science demonstrates the ineffectiveness of common anti-phishing methods

This should give us pause for thought. But rest assured: nothing will change. Because it’s not about cryptography or another sexy topic in the field (EDR, blockchain security, post-quantum crypto, you name it). The cybersecurity market has already chosen a completely different direction.

Table of Contents

  1. What is it about?
  2. The phishing problem - and its treatment - is far from trivial
  3. At the root of the problem
  4. So, what are phishing tests really worth?
  5. Let’s come to the results of this study and its lessons
  6. Conclusion

What is it about?

They say it in more muted words, those of scientists who must take precautions and calculate their margins of error. While they belong to a predominantly technological laboratory, they follow in the footsteps of work by the European Cybersecurity Agency (ENISA) or other researchers who have explored behavioral, neuroscience and psycho-social approaches to cyber. But who reads these studies? Who implements their teachings?

Without these scientific studies in cyber, how can we distinguish between the always effective grandmother’s recipe and the “best practices” in cybersecurity?

Although little known in France, ETHZ has an Information Security Institute recognized for the quality of its work and teaching. ETHZ also hosts the Center for Security Studies, which also deals with cyber but from its military and diplomatic angle. There too are very interesting works, particularly on the subject of digital sovereignty.

The authors of the study are two PhD students supervised by Srdjan Capkun, the director of the Zurich Information Security and Privacy Center (ZISC), to which the Information Security Institute belongs.

The phishing problem - and its treatment - is far from trivial.

The impact of phishing remains major. According to the 2022 study by CESIN (Club of Information Security Experts), published in January 2022, the most widespread attack vector remains phishing (73%) ahead of software vulnerability exploitation (53%). These figures, collected by an Opinion Way study among CESIN members, are consistent with those of the American Verizon, which in its latest Data Breach Investigation Report (DBIR, 2021) announces that 91% of observed attacks involve phishing.

Yet, we can’t say that the problem is new.

At the root of the problem

What is an email? Not much after all, a few kilo or mega bytes of exchanges. Invented in 1971 by Ray Tomlinson, email remains a universal means to reach almost any Internet user. Today, email is defined by a set of 15 to 18 specifications (RFC). Despite its initial simplicity (a terminal and a few commands - not far from our historical Minitel), email is a complex subject. 50 years after its birth, solving email security problems is still complex. Just to fight against the usurpation of its domain names, because correctly configuring DKIM, SPF and DMARC is not easy. Going as far as having proof of the sender’s identity is possible with S/MIME signatures, the first version of which was invented in 1992. But nobody - or almost nobody - uses it.

In 1995, the first phishing is listed. It targets users of the first public Internet access provider, AOL. A tool is distributed to allow stealing passwords and credit card numbers. An automated message is sent to randomly chosen users’ mailboxes.

Hello, this is AOL customer service. We are conducting a security check and need to verify your account. Please enter your username and password to continue.

It contains one of the foundations of many phishing messages: the use of the argument from authority. It joins the “money, sex, ideology, ego” levers specific to recruiting a source in intelligence. This argument from authority that is present in the rhetoric of Aristotle, Schopenhauer or more recently Clément Viktorovitch. As much as in the CEO fraud scams, particularly cinematic like those conducted by Gilbert Chilki, finally convicted in France in 2021: 11 years in prison and 2 million euros fine. He notably took on the identity of Minister Le Drian, under a mask and in front of a set, to extort funds from personalities. They thought they were funding a clandestine operation of French intelligence.

alt_text

At the same time, before his arrest in 1995, Kevin Mitnick was living the high life and thumbing his nose at the FBI. Two and a half years of pursuit for the one who remains the first hacker to be on the FBI’s list of 10 most wanted persons. For his social engineering feats, his manipulation skills worthy of a Frank Abagnale, the American who inspired Spielberg’s film “Catch me if you can”. After several years in prison, Mitnick turned this experience into a cybersecurity consulting business. He became the “Hacker in residence” icon of KnowBe4, the world leader in the phishing simulation market and the training that accompanies it.

Three colorful lives, certainly offset in time but with comparable springs. Let’s not forget despite the panache: malicious and criminal. Among many others.

In 2018, a statistic was circulating: 3.7 billion users send 269 billion messages per day. In 2021, the daily volume of sends is estimated at 320 billion. You see the impact of fraudulent emails, even imagining that they are in small proportion?

Almost 30 years after Mitnick, the phishing problem is far from solved. Today, companies no longer face isolated attackers, but very structured ecosystems, which share offensive information and R&D much better than companies do among themselves for their defense. Criminal ecosystems, like ransomware gangs, and state, private and public espionage ecosystems within countries that include China, Russia, North Korea and Iran.

The right image to represent phishing is not that of the good fisherman with a hook at the end of a line. It’s rather that of electric trawl fishing, so decried, which will sweep very wide and give no chance to the fish.

Presidential election candidates can still fall victim to it. Like Hillary Clinton and her Democratic National Committee (DNC) in her time, during the campaign won by Trump. With rising tensions around Ukraine, a climate that increasingly resembles the Cold War, and first operations to destabilize critical infrastructure in Europe, this is not to be taken lightly.

So, what are phishing tests really worth?

Let’s get back to our… sheep. Conducting phishing tests has even become essential to hope to subscribe to a cyber insurance policy. Insurers now have significant experience (and statistics) on cyber claims. But, in terms of cyber, insurers don’t bother with science for what remains, for the moment, a specialty risk. The immediate causes of each major claim lengthen the list of prerequisites to be insured, or from one year to the next, hope for a maintenance of the premium rate. Making a false declaration at subscription, or not applying the declared measures, during the life of the contract, is to expose oneself to its nullity. Essential to allow the insurer to fight against insurance fraud. And practical in case of too large a claim: no need to settle it.

This is how, concerning the phishing risk, it is required to conduct phishing simulations. With a major problem: the simulation is carried out in the real environment. Real emails are sent to mailboxes by cyber experts who seek to “raise awareness” or “trap users”. It depends on the point of view.

It’s not by shooting at someone, even with blanks, that we’re going to teach them to avoid bullets.

Yet this is what is done in terms of phishing. Instead of focusing efforts on setting up an effective filtering device and a means of reporting suspicious emails.

Because many companies don’t know what to do with these email reports, so they don’t encourage them. We don’t know how to exploit the results of an indicator? It’s simple, we remove it. Too bad, when this indicator can directly contribute to solving 70% of the problems for which, in SBF 120 companies and the like, we spend millions, tens or even hundreds of millions of euros each year.

Suffice to say that we have here new proof of the key phenomenon and also poorly known in cybersecurity: the concept of “throwing money out the windows” or “throwing money at a problem” (in my opinion more explicit).

Let’s come to the results of this study and its lessons

A study that should prompt complete overhauls (source: cyberbrief.fr)

After 15 months of experience on anti-phishing campaigns, more than 14,000 participants, the doctoral students from ETH Zurich University in Switzerland have come to an unequivocal conclusion: phishing awareness in companies can make employees even more vulnerable. Faced with this major problem, the conclusion of the experiment advocates sharing phishing detection among all employees.

Phishing techniques are becoming increasingly subtle and complex. To protect themselves, companies can send a test to their employees to train them. However, common practices are ineffective or even counterproductive.

This is the main result of a study conducted at ETH Zurich University in Switzerland, involving 14,000 participants over 15 months. This study, submitted on December 14, 2021, details an experiment conducted in collaboration with an anonymous company and its cybersecurity director. This company did not inform the participants of their participation. “What we saw interesting, if you follow training to find trapped emails, it becomes much more likely that you will actually fall for future phishing attempts” explains Daniele Lain, a doctoral student participating in the study. Indeed, 32.1% of the study participants clicked on at least one dangerous link or attachment.

If you follow training to find trapped emails, it becomes much more likely that you will actually fall for future phishing attempts.

These results contradict previous research and call into question industry practices. Phishing training, when integrated into a phishing simulation, is therefore counterproductive. Yet, many market players offer mini-trainings integrated into phishing tests. It has become a standard expectation from decision-makers, cybersecurity directors and CIOs. Moreover, repeated exposure to phishing tests does not significantly reduce the vulnerability of certain groups within the company.

Only the use of a shared detection service, at the company scale, can reduce the threat. To reach this conclusion, the researchers sent trapped emails with a reporting button, in case of suspicious emails. Result: 90% of employees reported six suspicious emails or less. These doctoral students are the first to demonstrate experimentally that only phishing detection by all company employees is truly effective.

To deal with phishing emails that would not be detected by email filtering tools, only one practice is really effective:

  1. Give all employees the ability to report potentially dangerous emails
  2. When consulting the email, display an alert message to all other employees
  3. Have a technical team and tools that will confirm or not the dangerousness of these emails, without this confirmation being essential before step 2.

Like any safety or security subject, the key issue is time management.

Not the number of people who are in “success” or “failure” in phishing tests.

Detection times for a fire outbreak and its automatic extinction by triggering sprinklers and firefighter intervention, on site or nearby. With in addition, the role of first responders, who can be simple employees trained in the handling of a fire extinguisher or to be file guide or file closer to facilitate evacuations.

Or detection times of a threat, physical or digital, and its suppression or return to normal. With more and more, supported by platforms such as Captain Cyber (our startup), the intervention of non-experts in cybersecurity operations, in support of the SOC.

According to Verizon, a large-scale phishing campaign takes an average of 16 minutes to make its first victim. However, the first report of such an email to an IT service takes (still on average) twice as long, or 33 minutes.

The problem with phishing is not just the email channel, it’s the ability to exercise informed judgment to make a quick and safe decision following an online solicitation.

That’s because over the years, communication channels have multiplied, with alongside email, text messages and other iMessages (Smishing by SMS), messaging integrated into social networks (Facebook Messenger, Instagram, DM on Twitter, LinkedIn message…), professional instant messaging (Slack, Microsoft Teams, Google Chat…), personal (WhatsApp, Viber), customer contact messaging (Intercom, Zendesk, Crisp), more or less secure messaging (Olvid, Signal, Telegram). Not to mention the “traditional” vishing (by voice / phone). Already observing, in attacks, deep fakes of photos of non-existent people, and soon deep fakes of audio and video conversations.

Far from simplifying, the phishing problem, in all its forms, is increasing. For now, inexorably.

Suffice to say that if we want to approach phishing as a technical problem specific to each channel, it’s a lost cause. We should rather exercise the “critical thinking” of employees. As innovators do as much as hackers: “think out of the box”.

Conclusion: in fact, the real situation is much worse than the results of the ETHZ study show

Because this technical obsession with email phishing is exactly what is done in companies:

“phishing is primarily email. Let’s send phishing emails, and then we’ll see what we do. To those who are in “failure”, we send new tests, and train them. To the most failing, we will initiate HR procedures. Because after all, these people are a******s”.

Speech of a CISO who has lost faith? I’m barely exaggerating.

Naming the evil, and naming it well, is not catastrophism, it’s on the contrary giving oneself the means to take action.

In this case:

  1. Not only is the distribution of cybersecurity budgets not aligned with risks (according to available figures, about 20% of budgets should be earmarked for the human factor, while this human factor rather represents 1 to 2% of observed budgets in companies). Who wants to better use these 20% which today are used on accessories?
  2. Also the budget currently dedicated to the human factor (these 1 to 2% which should be 20%) is not well composed: an obsession with phishing will not effectively address the phishing problem (it’s the tree, seen too closely, that hides the forest). And the ETHZ study learns that the way we conduct these phishing tests, accompanied by training, needs to be completely revised.

Thus, it will always be counterproductive to use a SaaS service, even if it is European or French, and with a very ergonomic interface. If it only intends this interface and this beautiful experience to 1% or 1 per thousand of the main concerned: CISOs and CIOs, instead of employees, it is completely useless. Even worse, it gives the illusion of security.

CIOs, CISOs and their teams are certainly the customers, but it’s the users who should be the focus of all efforts. Because they are on the front line.

Not for pleasure, to achieve customer objectives. You’ve understood it, especially if this “pretty” service aims to send phishing test campaigns and “train” employees following these tests.

But hopefully, some of you will choose to act.

Two examples show us that it is possible to turn the table. ETI as well as large groups. All sectors combined. Beyond the phishing issue, cyber strategies can be thoroughly reviewed. While drawing considerable benefits, including in brand image. So can we really afford the luxury of not changing anything regarding phishing?

Completely changing strategy (if not doctrine or ideology) is the situation of Equifax (USA, finance). And of Groupe Leader (France, HR services), described this week by our colleagues from Les Echos. Time and space are lacking to discuss these cases here, it could be the subject of another newsletter.

These two groups have suffered cyberattacks that have largely destabilized them (respectively end of 2017 and early 2021). Fortunately, these groups survived (losing some feathers). However, they each decided to transform, from the ground up, their approach and practices of cybersecurity. Throughout the company.

But why wait for such a big bang, in a destructive impulse?

Cyber is like climate change: when you feel its negative effects, it’s already too late.

I don’t know about you (at the same time, if you’re reading these lines, it may not be entirely by chance), but I don’t want to be part of those people who blindly follow the crowd. Especially with such high stakes, both individual and for our human societies as a whole. Because that would mean accepting the same fate as a herd of 600 sheep jumping off a cliff. And this happens regularly.

On the contrary, I believe I’m one of those who make things change. That’s why I oriented myself towards what wasn’t yet called cyber, and which wasn’t “sexy”, 20 years ago. And you, what do you want?

This post by Sylvan Ravinet originally appeared on the CaptainCyber blog.

Related keywords

Cybersecurity
Phishing
Scientific research
Information security