That brings us back to the basic advice for users: never click on any unexpected link or open any unexpected attachment. No exceptions, unless the user can turn to a trusted means of communication to verify legitimacy, such as calling the number on the back of a payment card.
Allan Alford, an IT consultant, said it’s not easy to eliminate phishing-like messages.
“We train our users not to click the bad thing or suspicious things. Or things that look like our people, but that are not actually our people,” he said. “And then an outsourced HR SaaS product sends a companywide email impersonating the head of HR. And then marketing sends out the same thing and sales sends the same thing. The bottom line is that ‘don’t click the thing’ is impractical advice.”
Alford said the only response is to “teach end-users to reach out to the sender out-of-band and verify. And we then need to train the business to not do the thing we’re training users to not do.”
Much of this stems from internal disconnects between business units within the same company, said Padraic O’Reilly, CEO of cyber risk management company CyberSaint. “There’s often a disconnect between the security and IT functions and operational departments,” O’Reilly said. “Those functions are sometimes more discrete than they should be.”
Bryce Austin, CEO of TCF Strategy, was a bit more direct: “Any company sending anyone an email text or anything else that says please click their link needs to really rethink their business processes.”
The bigger problem, according to Pearson, involves the ROI attached to fixing email phishing issues.
“When they calculate the risk landscape, is this a high enough of a priority?” Pearson said, suggesting that the answer is that no, it is not an especially high priority.
That needs to change.
