How Humans (and Machines) Can Help Fight Phishing

When it comes to battling cyber-attacks, many starting as phishing emails, we’re naturally inclined to look for a technological solution. After all, computers can run complex algorithms. They don’t get tired, and they provide 24/7 support, nearly always at peak performance levels.

Just in the last year, hackers used them to bring multinational companies to a grinding halt, derail the democratic electoral posterchild (take a bow, spear phishing) and bring entire governments offline for extended periods. How can humans compete with such computational power? If we are the weakest link in the cybersecurity infrastructure, shouldn’t we get rid of the human aspect altogether? 

Humans have advantages
Of course not. As even the most ardent robophile will tell you, there are still some things humans can do much better than machines. Key aspects of phishing protection are a good example.


Take, for instance, our ability to be suspicious. Computers will run the checks administrators set up—and go no further, accepting any oddities they haven’t specifically been instructed to look for. If the email account is real, what does it matter to the computer that the account is ‘John.Foundre@gmail.com’ instead of the usual ‘John.Founder@gmail.com’? 

Nor does it register with the computer that your business partner has addressed you as “Dear John” instead of his usual brief, “John.” A computer doesn’t get the subtleties of these changes, but a person who understands the relationship sees a red flag. 

In a recent report, 42% of UK respondents know what a ransomware is, and that 17% percent know how to spot a phishing attack. In a response, Kai Roer said: “If we truly believe that the only way to spot and stop these kinds of threats is to have the employees to do the job, I can confidently tell you that not only will we fail, science also can explain why we will fail.”

What companies really need are employees conditioned to signs of cyber-attacks—who can respond appropriately almost without thinking, even in stressful situations. Luckily, we have the recipe: practice, practice, practice.

Surveys show that behavioral conditioning can decrease employees’ likelihood of responding to a malicious email by 97 percent after just four simulations—learning exercises where companies phish their own people. Conditioning works. It goes beyond making users aware that a threat exists and teaches them how to be aware and respond.    

Humans also come with risk
Let’s note a caveat in this argument. We should not expect the next generation of cybersecurity professionals to go back to manual security processes. Anti-malware programs, firewalls and spam filters do a decent job of keeping most malware away. Moreover, humans are an attack vector, a popular access point into some very advanced digital systems.

Be it through a phishing email or a memory stick dropped in the car park, hackers have mastered the art of social engineering. They know how to bypass our normal caution and get us to act impulsively. Hackers do this by employing tricks of human psychology: they send emails early in the business day, when people haven’t fully woken up. They also craft seasonal campaigns during, for example, tax declaration submissions and holidays like Christmas.

They use urgency and impatience to elicit stress-based responses; they tap into our greed with irresistible promotions or time-sensitive tax-rebates. Add personal information freely available on the dark web (or from a disgruntled employee), and it’s not hard to use employees to gain network access. 

Man Machine = Defense in Depth 
Clearly, employees can be both the strongest and weakest links in your cybersecurity. They also need all the help they can get from advanced technology. After all, a hacker can employ automated processes to send thousands of phishing emails every hour. The trick is to operate at a manageable level of technical security and help humans catch potential threats technology might miss.

So, if you’re wondering what side of the human-machine fence you should fall on, the answer is to stay on the fence. From there you can see the reality: both sides are battlegrounds in the cybersecurity wars. And you need to be strong on both to keep your business safe.

What’s Hot on Infosecurity Magazine?