Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Leadership Team

Meet the MetaCompliance Leadership Team

Careers

Join Us and Make Cybersecurity Personal

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Phishing Attacks: Why Don’t We Think Before We Click?

Phishing attacks think before you click

about the author

Share this post

Phishing attacks are as much about manipulating human behaviour as they are about technology. This statement encapsulates why it is so difficult to prevent phishing campaigns that result in ransomware, stolen credentials, and other cyber-attacks.

Back in the 1970s, there was a drink driving campaign with the tagline “Think, before you drink, before you drive”. It was an effective campaign, helping to reduce drink-related driving accidents in the UK. Making people ‘think’ before acting is not as easy as it sounds. In fact, it is not thinking and having a knee-jerk reaction to an email that phishing campaigns rely on. Phishing is a serious business with a recent report finding that 95% of IT leaders believe that data is at risk from the email channel. 

So, how can the average business hope to be as successful as the 70s drink driving campaign when it comes to countering the tricks up a cybercriminal’s sleeve?

Phishing Attacks and Human Behaviour

This difficulty in prevention is reflected in the successful nature of phishing attacks: In pre-pandemic 2019, the phishing stats were appalling, with insurance company Beazley finding a 105% increase in ransomware attacks in Q1 2019. But 2020 saw phishing attacks go off the scale. The FBI published a report showing that Phishing was by far the most prevalent of crimes reported to its complaints section, IC3. One of the driving forces behind phishing success during the last 12 months has been the Covid-19 pandemic, which provided opportunities galore for phishers to exploit human behaviour: this is evidenced in a staggering 30,000 % increase in Covid-19-based threats during 2020; most of these attacks used malicious websites and phishing emails.

Phishing (and its variants, Vishing/Smishing/Pharming) is a prevalent attack vector because the technique works. It works because it uses natural human behaviour to carry out an action that benefits the cybercriminal behind an attack. Being able to manipulate a legitimate person to do an illegitimate action is the hallmark of the scam, even before the advent of modern technologies. But technology can groom even savvy users, as technology usage patterns become “hard-coded” as we become familiar with a system. 

Email, for example, is an everyday technology that we use continuously. In 2020, 306.4 million emails were sent and received daily. Opening an email and clicking a link is almost second nature, a knee-jerk behaviour to a regular task. It is this repetitiveness, and a lack of thought needed to action, that the phisher focuses in on.

5 Typical Phishing Characteristics

Phishing attacks want to catch out people before they think too much. To do this, the campaigns need to ensure that certain criteria are met and that circumstances are optimised:

  1. Trusted source: One way to remove the thought process is to make the email recipient feel safe. Phishing campaigns will typically masquerade as well-known brands. In a review of which brands are used by phishers, Microsoft repeatedly comes out on top as one of the phishers’ favourite brands to spoof. Other spoofed brands include Netflix and PayPal.
  2. The lure of the click: Whilst 79% of people say they can recognise a phishing email, almost half will still click on a link in a suspicious email. Reasons for this behaviour are likely to be because of the implicit training we have all been through to use internet-ready content. To click is almost a Pavlovian response when an email contains a link. User experience (UX) designers have used this type of conditioning to help people use technology more easily; cybercriminals use the same psychological manipulation to get us to click on a phishing link to start the next stage of the phish.
  3. Leading by task: Keeping the email focused on a simple task helps in the removal of the thought process. Repetitive and recognised tasks such as password resets are a phisher favourite. This allows that all important ‘click’ to be made without thinking too deeply about the possible consequences. If the task is work-related, then it’s more likely the click will be made, and the phishing event initiated.
  4. The urgency: Often, phishing emails will contain some sort of driver to push the auto-click behaviour. These drivers are often the threat of a discipline or a raised concern over an action, such as paying a bill. Some phishing campaigns are highly targeted (Spear phishing). These campaigns often impersonate a CEO; the fake CEO then sends an email to the accounts department placing an urgent request to wire money to a bank account. The account is, of course, owned by a scammer.  
  5. Overworked: A study into hospitals targeted by phishing campaigns concluded that overworked staff were more likely to click on a phishing link. If you don’t have time to think, you will default to auto-response.

A note on spear phishing attacks. This type of phishing requires a deeper level of reconnaissance to deliver more convincing phishing emails to the target. This level of detail makes spear phishing emails even more difficult for employees to spot. Consequently, spear-phishing email attacks increased by 667% during the Covid-19 pandemic.

How to Make an Employee Click a Phishing Link

Cybercriminals are masterful at creating the conditions for a successful phishing campaign. Using all the tricks to make a user click, such as spoofed trusted brands, to make the user easy bait. An example of this was an Office 365 phishing ruse in 2020. It had all the elements that manipulate users into clicking before thinking:

  • Spoof emails were made to look like Microsoft Office 365 were sent out to employees. 
  • The email had the title “COVID-19 Training for Employees: A Certificate for Health Workplaces.” employees were encouraged to action the email for work reasons.
  • Email recipients were asked to click on a link in the email that took them to a spoof Office 365 login page: the page looked identical to a real Office 365 page.
  • A user was prompted to enter their Office 365 credentials to log in and receive the certificate. If they did so, those credentials were stolen, then used to log in to the real Office 365 portal.

How to Stop an Employee Clicking a Phishing Link

Preventing hard-coded behaviour requires specialist awareness training. Technologists have designed systems to be easy to use and to make clicking an easy action, this auto-click response must be broken to prevent phishing success. By providing a well-thought-out, controlled, phishing test, an organization can help change the behaviour that cybercriminals are dependent on. Simulated phishing tests create a safe environment to train users on the subtle ways that phishers manipulate their behaviour so that they can watch out for those tricks. As part of a wider security awareness program, phishing simulation is effective in preventing phishing success that results in stolen credentials, data exposure, and ransomware infection. 

The Ultimate Guide to Phishing

Other Articles on Cyber Security Awareness Training You Might Find Interesting