Why are phishing attacks so hard to avoid?

Curiosity killed the cat, and it's also one of the biggest threats to an organization's cybersecurity.

Phishing schemes, in which hackers send victims a seemingly unsuspecting link that actually contains malware, are on the rise. The FBI reported in April companies have paid more than $2.3 billion in the course of two years to scammers who launch phishing attacks. The most effective defense for phishing attacks are educated employees who don't click on infected links, but such scams are still occurring with frequency because such employees are hard to come by, according to Fedscoop.

At the 2016 Black Hat USA security conference in Las Vegas in early August, Zinaida Benenson, a computer researcher from Friedrich-Alexander University in Germany, described the ideal employee who knows how to avoid a phishing attack, according to the report.

"This employee is highly trained, knows that any person in their life could turn on them at any second and can operate impeccably while understanding the looming deception that could creep into their inbox at any time," according to the report. The problem, Ms. Benenson said, is that this employee doesn't exist.

Ms. Benenson detailed two studies she helped conduct seeking to understand why people clicked on phishing links. One of the studies sent a link to participants from a sender with little identifying information, meant to replicate a hacker. More than a third of respondents said they clicked on the link out of curiosity.

"People are people. They are curious. They don't think in the moment," Ms. Benenson said at the conference, according to Fedscoop.

To mitigate the risks of falling victim to phishing scams, Ms. Benenson said organizations should try to move employees away from their inherent decision-making process and into a mindset that prevents them from opening suspicious emails.

Why are phishing attacks so hard to avoid?

More articles on cybersecurity: