Speaking at Black Hat 2017 in Las Vegas today Karla Burnett, security engineer at Stripe, explored ‘phishing as a science’, shining a light on the psychology of phishing and why attacks continue to be successful.
Burnett explained that the standard methods used for phishing attacks, in which we see an email from [for example] a “Nigerian prince who wants to offer you a large sum of money if you just hand over your bank details”, actually make attackers and defenders really lazy.
“Attackers get told you can’t use phishing in your read teams because it’s too easy and defenders get told that provided you’ve trained your users they won’t do this [fall for phishing emails] and it’ll be fine—but that’s dangerous and unrealistic. Just because you say phishing is inevitable that doesn’t actually make the problem go away.”
So why do people fall for phishing campaigns in the first place? Burnett pointed to a psychological school of thought which suggests that there are two modes of thinking: system 1 (fast) and system 2 (slow).
System 1 is very fast and very instinctive (like swerving suddenly to avoid a car on the motorway), she explained. “It’s below what we consider to be the level of conscious thought, and is pretty emotional and pretty gullible.”
System 2 is a much slower and methodical way of thinking (such as writing up a list of pros and cons for a business idea). “It’s rational and it’s sceptical,” Burnett added.
However, the problem is that we often don’t have enough time in our days to use system 2 everywhere, and when you stop and think about how many emails we receive on a daily basis, it’s easy to see how attackers take advantage of this.
“The problem we have with phishing training at the moment is that it’s focused on getting people to look at URLs or hover over links, which require system 2 methods of thinking, not system 1. Phishing training is only useful once somebody is already suspicious of an email, not beforehand. You can’t train somebody’s system 1 to think an email is suspicious when it looks exactly like every other email they’ve received.”
It also doesn’t matter how technical you are, she argued, as everyone is vulnerable to this.
This has in turn created a sense of hopelessness about phishing among the information security community, Burnett continued, with a belief that people will be phished no matter what.
Despite this, she concluded that we need to find technical solutions to the problem instead of just relying on training that proves ineffective, and look at how the three authentication factors of ‘Have’, ‘Know’ and ‘Are’ can be tied to the domain that’s requesting the information, instead of giving them out as shared secrets.