Archived articles

Users are NOT to blame for successful phishing attacks

Users should not be the first to receive the blame for a successful phishing attack, says security awareness expert.

Ira Winkler, president of Secure Mentem, stated that humans represent only 20% of potential kill points for phishing attacks. A phishing attack can only succeed if eight layers of technological controls are missing or have failed.

User and technical failures

“Phishing attacks represent a combination of user and technological failures,” said Winkler.

Before the attack is even addressed by the user it could have been blocked at the Pre-Mail stage and mail server stage. The user would never even be aware that an attempt had been made.
“Users only fail if technologies have failed first or if the right controls have not been implemented by internet service providers or in mail servers,” said Winkler.

Training and awareness

User awareness programmes are designed to ensure that users can recognise potential phishing attacks and know where to report it. However, even if a user clicks on a malicious link in a phishing email, all is not lost because technologies exist to warn users of potentially harmful links and attachments.

To take the point further Winkler also states that above the email technologies there is a network level of preventive protection “the network should be able to block data from being sent out of the network and stop any illicit login attempts”

In conclusion, the user cannot be given the full weight of the blame. As there are so many other layers of protection to prevent successful attacks.

Further reading

For more information please visit: