Human layer security: Your last line of defense against phishing

Phishing is more sophisticated than ever. Cybercriminals have moved on from bombarding mass email lists with poorly spelt, obvious scams. They’ve been replaced by carefully planned spear-phishing attacks, impersonation attempts, and business email compromise.

Consider a new joiner to Company X – they’re excited to start and have recently updated their public LinkedIn profile. On their first day, they receive an email from companyX@security.com, asking them to change their password for a certain application. It’s signed off by Company X’s head of security, and it looks the same as all the other emails they’ve received on their first day. Except it’s a spear-phishing email hunting for login details – and you know what happens next.

These attacks press on psychological triggers that could catch any of us out on a bad day. Even educated, experienced professionals can (and regularly do) fall for modern phishing attempts. There’s no getting away from the fact that if a phishing email gets in front of an employee, there’s always the chance they could fall for it.

People as a (fragile) last line of defense

Unfortunately, some phishing attacks will always slip through the net – even with phishing prevention technology in place. At this point, everything rests on the actions of the employee. Cybercriminals will be praying they take the bait and bring the attack to fruition. IT leaders will cross their fingers and hope the employee spots the scam and forwards it on to the security team.

This game is fixed in the favor of the cybercriminals – they only need one mistake from one person to infiltrate a business. IT leaders on the other hand pour resources into cybersecurity training in the hope that no employee ever falls for an attack. This is of course easier said than done, when any of us can be susceptible to fatigue, stress, or over-eagerness to please in a new role.

Cybercriminals know this and they aim to exploit it, designing attacks that prey on that split-second moment before someone really stops and considers whether an email request is legitimate. The question IT leaders need to ask themselves is: should we really place this burden on employees to be the last line of defense? Or can we use technology to give them some much-needed help?