No matter how many new vulnerabilities are disclosed on cyber security websites, there is one mode of operation that remains the most widely used and prevalent in security incident statistics. Nearly all malware, 94%, still reaches computers via email.

Phishing attacks, as they are known, ultimately aim to convince users to install malware. It is the number one type of social engineering attacks, accounting for over 80% of reported incidents. It may be that, at first glance, many people believe that an email that is a lure crafted by a scammer, is something simple to circumvent.

After all, everyone remembers the email from the Nigerian prince, who asked for help in getting assets out of his country and, all the recipient needed to do was provide access details to a bank account.

But the truth is, we still fall for that kind of scam. More often than we'd like to admit. At least 3.4 billion fraudulent emails are sent around the world every day and account for more than half of all reported security incidents.

Why do we still fall for scams like this?

One explanation is that attackers evolve their tactics all the time. And technology alone is not enough to stop them. Some of the most basic phishing attacks are able to bypass email protections and end up in your inbox as legitimate messages.

That doesn't mean other threats aren't important. It is estimated that there are more than 11,000 exploitable vulnerabilities in commonly used systems and software - and as of mid-2019, 34% had no patches available.

Anyway, to improve the security posture, it is important to understand something important before choosing the most suitable protection tool. Of course, up-to-date technology, a cybersecurity strategy, a good antivirus, all of these are fundamental. But it needs to come with a healthy dose of scepticism from those who use the internet every day.

It's just that technology adapts and changes quickly and constantly, but people don't.

A good anti-phishing strategy takes this into account: that humans will remain curious, ambitious, confident in their ability to differentiate the real from the fake. And it is these characteristics that make them click on emails from scammers. If we understand our weaknesses and what makes us set aside our judgement and click, we can better equip ourselves to protect ourselves.

What actions to take?

Conscientious users change their behaviour. Instead of trusting first and distrusting only in some cases, they adopt a preventive posture. In practice, this means the following: if you received a message from a company with whom you are doing a negotiation, for example, suggesting that some payment is advanced and offering a link to access some information, do not click. Instead, contact the other party directly and make sure that the email really came from them.

And that goes for other cases as well. Before you click on a link to settle a fine or get a free e-book, stop for a minute and double check. Check that the email is coming from a legitimate address or organisation.

We have also produced a video on the strategy behind phishing attacks. Watch it here:

By: Dirceu Lippi