Teaming Up to Educate and Enable Better Defense Against Phishing

Companies need to both educate their employees and implement prevention technology.

Rees Johnson, Sr. VP and GM the Content Security Business Unit, Intel Security

May 14, 2015

3 Min Read
Dark Reading logo in a gray background | Dark Reading

No matter who you are, or how you get your email, you’re bound to be a target. That’s the inconvenient truth about phishing. The sheer volume is astonishing -- McAfee Labs found over 150,000 new phishing URLs in the fourth quarter of 2014 alone. Couple that with Verizon’s finding nearly one infive users will click on a link within a phishing email, and the reality sets in. This is an uphill battle, and end users are on the front lines.

But it’s not just volume that results in compromise. More often than not, the phishing emails that result in a successful breach utilize highly sophisticated malware, social engineering, and are targeted at the most vulnerable amongst us.

At Intel Security, we have our sights honed in on this problem. To help companies’ efforts to reduce their risk and susceptibility to phishing, we teamed up with CBSNews.com to bring the issue to light on a global scale, raise awareness, and further educate the public.

Back in December, we released the first stage of our educational program -- an online quiz that asks people to identify whether a set of 10 emails are legitimate or phishing. Quiz takers can then review what they got wrong, and what they should have looked out for. It’s a simple concept, but a powerful one. Looking at our inboxes every day, not all of us think “Is this a real email?” But we should! Vigilance against social engineering is every individual’s responsibility. We recently published a report on this titled “Hacking the Human Operating System,” which I recommend reading if you want to dig further into the psychological forces at play in these attacks.

Bottom line: If more of us were able to spot fraud, then no matter whose information it is -- whether personal or corporate -- there would be less of a chance for a criminal to commit theft.

You’re probably wondering how people performed on this quiz. Check out a followup article on CBSNews.com here and a few highlights below:

  • Only 3% of all respondents were able to identify every example correctly

  • 80% of all respondents misidentified at least one of the phishing emails

  • The 35 to 44 year old age group performed best, answering an average of 68% questions accurately

  • Of the 144 countries represented in the survey, the U.S. ranked 27th overall in its ability to detect phishing, with 68% accuracy

One of the key takeaways in the aforementioned report is that “during a social engineering attack, the victim is not consciously aware that his or her actions are harmful.” Of course, in most cases, users are not intentionally infecting themselves with malware or divulging sensitive information. Preventing the impact of phishing requires a two-pronged approach: Companies need to educate their employees, and they need to employ prevention technology. By scanning every email for known bad senders, malicious files, and malicious URLs, organizations can reduce the attack surface immediately. Innovative approaches to threat detection like click-time malware scanning for URLs in email and attachment file sandboxing are new and effective ways to stop attacks.

Take a look at your email environment. If you’re running traditional Exchange on-premises, or managed by a partner, make sure you have email protection scanning the inbound and outbound flow of mail. If you are like many others in IT right now, you’re probably evaluating or already moving to a hosted Exchange environment such as Microsoft Office 365. The same concept applies. You need strong threat detection for your email, including defenses like click-time malware scanning to keep up with the dynamic nature of malware infection used in sophisticated phishing attacks.

I’m sure this isn’t the first time you’ve heard about phishing, and it won’t be the last. Take the right steps now to protect your organization.

About the Author

Rees Johnson

Sr. VP and GM the Content Security Business Unit, Intel Security

Rees Johnson is Senior Vice President and General Manager of the Content Security Business Unit at Intel Security, which includes Web Security, Email Security, and Data Loss Prevention technology.  Rees and his team are in charge of securing the most utilized vectors of malware penetration into corporate networks.  For the last decade, Rees' responsibilities included  increasing detection effectiveness as the Senior Vice President of PM for McAfee Labs, doubling the IPS revenue as the GM of the Network Security Business Unit, and running the worldwide product management team.  

Rees joined McAfee in 2003 through the acquisition of Entercept (HIPS) where he ran product management and the Cisco OEM.  Entercept, led the market in preventing zero-day attacks and blended threats on the host. Rees began his career at Accenture building enterprise applications for several of the world's largest telecommunication companies.  Rees has 20 years of enterprise software experience and holds an MBA from the Wharton School of Business with majors in finance, strategic management, and information systems

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights