Training Employees to Be Smarter Than AI-Powered Phishing Messages

Even with the rise of new communication channels such as messaging and social media apps, email continues to be the preferred means for people to communicate digitally. According to McKinsey, 28% of a worker's day is spent reading and responding to emails. On average, a single person can receive up to 120 emails daily. 

More than half of all emails received are either spam or junk mail. Many are from marketers pushing their products and services on prospects. For companies, these emails are more of a nuisance. Conventional filters can filter out most spam emails; the worst they can do is take up space in mailboxes and servers. 

However, among these spam messages that companies receive are dangerous phishing emails that are part of various cyberattacks and scams. Security training platform Hoxhunt considers phishing an "evergreen cyberthreat." It is one of most hackers’ preferred method as it exploits the fundamental weakness in every organization's cybersecurity—the human tendency to make mistakes and fall for tricks.

These emails typically contain messages that encourage clicking on links to web pages that are designed to steal information or to download malware that can cause damage once it infiltrates the company network. Once in a while, a cleverly disguised phishing message can get through spam filters. 

When an unwitting employee falls for the phishing message, the entire company can then suffer from a major and costly cyberattack.

AI-powered spam and phishing

What's actually worrisome is the fact that phishing messages are now becoming more complex and sophisticated, with hackers using artificial intelligence (AI) and machine learning (ML) to better disguise their messages and to trick victims. Hackers now use these technologies to mine information from company websites, social networks, and even job boards in order to build profiles and personas of actual people. These fake profiles can then be used for impersonation attacks. Messages are made to appear to be from an actual person within the organization. 

Since these messages contain accurate information, recipients are likely to consider these as legitimate. By hiding behind this disguise, hackers can easily convince recipients to provide sensitive information or perform actions that give hackers access to the company's network. 

Business email compromise (BEC), in which employees and executives get tricked into performing high-value transactions such as wire transfers for scammers, is made much more potent because of this clever email forgery. According to the FBI, BEC scams cost businesses a total of $12 billion worldwide in 2018.

Avoid getting phished

Companies have to make a deliberate effort to put measures in place that would help them minimize their risk of being a victim to such attacks. A major factor in cybersecurity is the capability of workers to identify and respond to such threats. Companies must invest in developing the right knowledge and behaviors in their employees.

Fortunately, phishing training services and platforms are now available. Hoxhunt can launch automated simulated phishing attacks on all members of an organization. These messages mimic phishing messages and can even simulate complex AI-powered spam messages. Workers are then encouraged to report dubious emails using the platform's plugin. 

If a worker happens to fall for these simulated messages, the platform provides information and tips explaining exactly what the worker did wrong. These timely interventions help develop the right behaviors when evaluating emails. Those who successfully report phishing emails are even awarded points as part of a gamified system. Companies can then choose to reward top-performing employees and provide additional training and intervention for those who lag behind.

Hoxhunt also provides real-time analytics for management and security teams to monitor how well an organization responds to threats. Users of the platform have seen as much as 60 percent better reporting in their organizations. This translates to an overall improvement in the organization's response capabilities to actual phishing threats. 

Aside from employee training, companies can also adopt other measures such as implementing stringent email filtering rules in the case of self-managed corporate email and using email providers that provide better spam filtering. Google, for instance, already uses AI to detect spam and phishing emails for its Gmail service which businesses can use as part of the G Suite. 

Avert possible disaster

Hackers will continue to exploit human vulnerabilities. With additional AI and ML tools at their disposal, they are likely to come up with more creative ways to fool unwitting users. Because of this, organizations must invest in strengthening the human element of their cybersecurity. Training people how to effectively identify and screen phishing messages is a definitive step toward minimizing exposure to these modern threats.