6 reasons why your anti-phishing strategy isn’t working

Phishing attempts are typically like fishing in a barrel — given enough time, a bad actor is 100% likely to reel in a victim. Once they recognize organizations as habitually vulnerable, they will continue to target them and the barrel-fishing cycle goes on and on.

“Bad actors are highly motivated and funded with the sole attempt to be successful at attracting only one victim,” says Johanna Baum, CEO and founder of Strategic Security Solutions Consulting. “[However], as an organization, you are tasked with protecting all potential victims.”

Overlooking or misjudging IT security hygiene greatly increases the susceptibility to an attack. But even if you are following a pristine protocol, have offered training to employees, repeatedly remind staff to verify suspicious communications, and keep up on the latest nefarious campaigns to fool the unwary, your organization is, and always will be, vulnerable.

Here are six reasons why your anti-phishing strategy isn’t working.

Phishing attacks are becoming more believable and sophisticated

Cybercriminals are continuously developing new tactics to trick people into giving up sensitive information, and as a result, phishing attacks are becoming more sophisticated, says Krissy Safi, a managing director and global practice leader for attack and penetration testing at Protiviti.

“Many anti-phishing solutions use static rules to detect phishing attacks, which can be easily bypassed by attackers using more advanced techniques,” Safi says. “Also with the introduction of ChatGPT, there will be a proliferation of phishing emails that have perfect grammar and no broken English, thus making it even more difficult to identify a phishing email sent by a cybercriminal.”

With ChatGPT and open-source versions available to the perpetrators, a company’s stolen communications become a panacea for scammers — AI can learn in real time what works and what doesn’t, increasing the chances that one attack will find a willing target.

Even without employing chatbots, attackers are getting more proficient — take the 2022 breach of cloud communications company Twilio, for example. In that case, attackers were able to match employee names and phone numbers using publicly available databases. The social engineering attack “succeeded in fooling some employees into providing their credentials,” Twilio said in an incident report. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”

Putting all your eggs in the technology basket

Many organizations are trying to solve the phishing problem solely with technology. These companies are buying all the latest tools to detect suspicious emails and giving employees a way to report then block those suspicious emails, says Eric Liebowitz, chief information security officer, Americas at Thales Group, a Paris-based company that develops devices, equipment, and technology for the aerospace, space, transportation, defense, and security industries.

While doing that is great, in the end the bad actors are always going to be more sophisticated, he says.

“One of the big things that I don’t think enough organizations are focusing on is training their employees,” Liebowitz says. “They could have all the greatest tools in place, but if they’re not training their employees, that’s when the bad thing is going to happen.”

While some organizations have deployed the right tools and have workflows and processes in place to combat phishing campaigns, they haven’t adequately and proactively configured those tools, says Justin Haney, executive, North America security lead at Avanade.

“For example, tools may flag and detect a malicious e-mail, but it’s not automatically blocked,” he says. “With SIEM [security information and event management] and SOAR [security orchestration, automation, and response] technologies, organizations should deploy specific playbooks in response to identified potential phishing campaigns as opposed to more manual work by analysts.”

Not taking a holistic, defense-in-depth strategy

Some organizations with failed anti-phishing strategies do not take a holistic and defense-in-depth strategy, Haney says.

“They may focus on particular technologies — email anti-phishing, multi-factor authentication, data encryption, endpoint/mobile security — and not look at others that mitigate risks along with the cyber kill chain, for example, detecting compromised identities,” he says.

The problem with not implementing a holistic, defense-in-depth strategy and relying solely on an anti-phishing program is that it only takes one successful attack to bring down the entire system, says Lexmark CISO Bryan Willett. Trusting an email-based defense approach or relying heavily on the training of users is inherently flawed, as people are prone to making mistakes and it only takes one for an attacker to succeed.

The best way to defend against phishing attacks is through a layered defense approach, says Willett. This includes having a good endpoint detection and response (EDR) system on every workstation, a strong vulnerability management program, enabling multi-factor authentication for every user and admin account as well as implementing segmentation across the LAN/WAN to limit the spread of an infected system.

“By taking these precautions and implementing multiple layers of defense, an organization can best protect against a phishing attack,” Willett adds. “We must assume that the attacker will succeed at some point. Therefore, we need to defend with that assumption in mind by using a comprehensive and layered defense approach.”

Failing to train employees to recognize phishing attempts

While training employees to not click on links or open attachments in emails from unknown senders is critical, employers must also educate workers on how to recognize fraudulent emails, says Jim Russell, chief information officer at Manhattanville College in Harrison, New York.

“One of the things we talk about in our training is authentic voice, which is one of the most important elements in recognizing a fraudulent email,” says Russell, who also functions as the institution’s CISO. “However, the folks that communicate kind of personally and quickly in an email are one of our security gaps. But luckily, as an academic community, most of our folks are writing in complete sentences. And they may have a standard salutation. For example, ‘Hi Lauren, how are you?’ is a typical kind of introduction. So, if those things are missing, there’s a lack of authenticity.” Manhattanville College employees have also been trained to forward any suspicious emails to members of Russell’s team, which will determine their authenticity.

Dell Technologies CISO Kevin Cross agrees that a successful anti-phishing strategy needs to start by raising employee awareness about how to identify a phishing email and understand how to report it. This approach is a shift from the common “don’t click” strategy used by many companies. Achieving a zero-click rate is an impractical and unrealistic goal, Cross says. Instead, teaching employees how to report suspicious emails allows security teams to quickly assess the potential threat and mitigate the effects of others targeted with a similar attack. And organizations can embed tools in their email platforms to make it easier for workers to report suspicious emails, Cross says.

However, this type of training doesn’t go far enough, says Jacob Ansari, national PCI practice leader in the cybersecurity practice of Mazars, a global audit, tax, and advisory firm. “Most anti-phishing strategies are limited in their effectiveness because they target the tip of the proverbial iceberg: user behavior,” he says. Training users to spot phishing attacks is effective only so long as phishing schemes are distinguishable from legitimate business activities, he says. But any anti-phishing efforts are quickly undone when employees are expected to engage in the kinds of activities that bear similarities to phishing schemes.

“For example, a company that requires users to click on a link sent from a third-party sender to complete a background check or enroll in benefits by entering personal information in a web form hosted elsewhere as a regular business practice diminishes the value of anti-phishing training,” he says.

In addition to training users, Ansari says that organizations need to engage with business leaders to re-engineer business processes so they no longer appear similar to phishing schemes by minimizing the use of click-through links in emails and requiring third-party interactions with employees to follow company standards for secure communications.

“[Companies] also need to ensure that all parts of the business, such as human resources, marketing, and finance, engage with third parties and company-wide communications in a responsible manner that avoids the conditions that allow phishing schemes to thrive,” he says.

Lack of enforcement/lack of incentives

Even if a company has a strong training program and policy in place, it may not be effective if there are no consequences for employees who violate the policy, Safi says. For example, if an employee falls for a phishing email and fails to report it, there should be consequences to encourage better behavior in the future.

At Manhattanville College, employees who fall for phishing emails must complete a certain number of online training sessions over 10 days, Russell says. If they just click on a link, they only get one training session; however, if they actually give their credentials, they have to complete three.

“I also review the list of people who fell for a phishing attempt and identify the folks who have enhanced privileges, such as a vice president,” Russell adds. “And they get about five minutes in the penalty box with me. I tell them there’s no Geneva Convention to protect them. I also track repeat offenders and those who failed to do the training and they also get five minutes in the penalty box with me and we have one of those awkward conversations.”

Too much reliance on simulated phishing tests

Another Achilles’ heel of current anti-phishing strategies is that some companies aim to train users to be 100% infallible, says Sushila Nair, head of cybersecurity services at Capgemini. “There’s a widely held premise that end users are to blame when falling for phishing attacks,” she says. “However, organizations must ask themselves, ‘Are we truly looking and measuring ourselves against a value that says we must aim for 100% of our users not falling for a simulated phishing test?’”

If the test is sophisticated, then more will fail. And if the test is fairly easy, then everyone will pass with flying colors, she adds. The lure of presenting improved user-infallibility metrics at board meetings can be tempting for some CISOs; however, leaders must accept that a small percentage of users will click on links no matter how much their companies train them — and in stressful times, that number will increase.

Even worse, many organizations run simulated phishing tests that normalize clicking on links, Nair says. “You click on a link, and it may take you to a portal that says ‘Well, darn it you are fooled,’” Nair says. But forcing users to do training as part of the simulation has the reverse effect — they are more likely to click on links. Being thrown into training because they clicked on a link during a busy, stressful day teaches most users to hate training sessions and to get through them — without paying attention — as quickly as possible, adds Nair.

“Not only does it have that effect but it impacts the way the user might react to phishing emails,” she says. “They won’t click on an odd email because they think it’s a test, but they also won’t report it either.”

The bottom line is that anti-phishing programs often fail because people are fallible. People make mistakes despite training and their best efforts, says Elizabeth Shirley, an attorney and co-chair of the cybersecurity and data privacy team at Burr & Forman LLP. “People also are emotional and often have a gut reaction to phishing emails that create a sense of urgency or necessity,” she says. “These circumstances will not change. And phishing emails will continue, at least for the foreseeable future.”