Why foiling phishing attacks means much more than just punishing users for falling for them.

Advice from the NCSC:

Some organisations put a lot of effort into training their staff to detect and evade phishing attacks. Some even punish them if they slip up.

It’s easy to see why the user has been identified as a central factor in phishing prevention – successful phishes after all depend on an attacker persuading a user to click on something they shouldn’t. So if bad guys can persuade users to click, it must be equally possible for us good guys to persuade users NOT to click. Right?

Wrong. It’s not a level playing field, and users can’t solve the phishing problem all by themselves. Trying to make your users invulnerable to phishing does nothing but waste your organisation’s time and money.

Some phishing emails are very competently executed to the extent that they are impossible to tell apart from genuine emails just by inspection. No amount of training, or punishment for getting it wrong, will change this. Furthermore, phishing attackers deliberately appeal to us emotionally. They say “Quick! Someone’s trying to steal your money! Come with me if you want to live.” Often we naturally respond to such appeals instinctively, without really thinking. Training tries only to develop our intellectual ability to spot phishes – it can’t stop us reacting to things designed to push our emotional buttons.

Furthermore, asking users to spot phishes means asking us to deliberately go against our normal working habits. Anti-phishing training teaches us to be suspicious of opening emails, clicking on links and opening attachments. But if we don’t do this, we can’t do our jobs. Most of us struggle to meet these two contradictory goals at the same time. The risk of attracting a sanction for falling for a phishing attack might mean we fear to open legitimate emails – which will have business costs. These costs are usually hard to see and measure – but they are there. We end up having to choose between the possibility of getting phished, or the certainty of harming our productivity. Many of us receive dozens of emails a day and must make these decisions every time, in a split-second, amid dozens of other pressures and distractions. At some point, we will inevitably make a bad call.

Rather than burdening users with impossible demands that leave them stuck between a rock and a hard place, we recommend that phishing is best tackled by implementing good technical defences and combining these with reasonable levels of user awareness, education and training. Setting up and maintaining your systems in accordance with our guidance will mean many phishing attacks are stopped before they do any harm, and the NCSC continues to develop and implement new anti-phishing measures that stop phishing emails getting to users’ inboxes in the first place.

It is worth telling users about common types of phishing attacks, particularly those that tend to be targeted at high-value users within organisations (a technique known as whaling).

And you should also encourage users (in a positive, blame-free manner) to report any emails or websites they are unsure about, even if they have already clicked.

However, trying to eradicate every single bad click is an unrealistic and harmful goal. As we’ve said elsewhere, users have a limited amount of time and effort to spend on security. Let’s make sure they put that effort in the places where it gets the best results.

Emma W
People-Centred Security Lead, Sociotechnical Security Group, NCSC