Blog post

I'm gonna stop you, little phishie...

Created:  20 Oct 2016
Updated:  20 Oct 2016
Author:  Emma W
Phishing

Some organisations put a lot of effort into training their staff to detect and evade phishing attacks. Some even punish them if they slip up.

It's easy to see why the user has been identified as a central factor in phishing prevention - successful phishes after all depend on an attacker persuading a user to click on something they shouldn't. So if bad guys can persuade users to click, it must be equally possible for us good guys to persuade users NOT to click. Right?

Wrong. It's not a level playing field, and users can't solve the phishing problem all by themselves. Trying to make your users invulnerable to phishing does nothing but waste your organisation's time and money.

Some phishing emails are very competently executed to the extent that they are impossible to tell apart from genuine emails just by inspection. No amount of training, or punishment for getting it wrong, will change this. Furthermore, phishing attackers deliberately appeal to us emotionally. They say "Quick! Someone's trying to steal your money! Come with me if you want to live." Often we naturally respond to such appeals instinctively, without really thinking. Training tries only to develop our intellectual ability to spot phishes - it can't stop us reacting to things designed to push our emotional buttons.

Furthermore, asking users to spot phishes means asking us to deliberately go against our normal working habits. Anti-phishing training teaches us to be suspicious of opening emails, clicking on links and opening attachments. But if we don't do this, we can't do our jobs. Most of us struggle to meet these two contradictory goals at the same time. The risk of attracting a sanction for falling for a phishing attack might mean we fear to open legitimate emails - which will have business costs. These costs are usually hard to see and measure - but they are there. We end up having to choose between the possibility of getting phished, or the certainty of harming our productivity. Many of us receive dozens of emails a day and must make these decisions every time, in a split-second, amid dozens of other pressures and distractions. At some point, we will inevitably make a bad call. 

Rather than burdening users with impossible demands that leave them stuck between a rock and a hard place, we recommend that phishing is best tackled by implementing good technical defences and combining these with reasonable levels of user awareness, education and training. Setting up and maintaining your systems in accordance with our guidance will mean many phishing attacks are stopped before they do any harm, and the NCSC continues to develop and implement new anti-phishing measures that stop phishing emails getting to users' inboxes in the first place.

It is worth telling users about common types of phishing attacks, particularly those that tend to be targeted at high-value users within organisations (a technique known as whaling).

And you should also encourage users (in a positive, blame-free manner) to report any emails or websites they are unsure about, even if they have already clicked.

However, trying to eradicate every single bad click is an unrealistic and harmful goal. As we've said elsewhere, users have a limited amount of time and effort to spend on security. Let's make sure they put that effort in the places where it gets the best results.

4 comments

Paul French - 14 Feb 2017
Is there an email address we can use to send what is clearly phishing spam to so it can be tracked and removed?
Emma W - 14 Feb 2017
Hi Paul. If you visit our Incident Management page (https://www.ncsc.gov.uk/incident-management) you'll find more information on what your next step should be.
Mark O'Sullivan - 15 Feb 2017
I'm impressed by the work behind this website, which reflects a degree of perceptiveness and common sense rarely seen in this field.
Mike Unwalla - 16 Nov 2017
Emma, you wrote, "Some phishing emails are very competently executed to the extent that they are impossible to tell apart from genuine emails just by inspection."

Many organizations use e-mail marketing services such as MailChimp and Constant Contact to send e-mails. Typically, those e-mails contain links such as http://mailchi.mp/writethedocs/... and https://visitor.constantcontact.com/do?p=un&m=001D...

Many users read their e-mail as HTML, thus, they cannot see the underlying link. Users (such as me) who read e-mail as plain text can see the link. But, I cannot know that the link is legitimate, because I do not know all the many hundreds of URLs for legitimate e-mail marketing services. I cannot be sure that clicking the link will not install malware.

There is a conflict between e-mail security and the practices of the e-mail marketing services. Could NCSC work with the e-mail marketing services to find a solution to the conflict?

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No