Heighten End-User’s Responsibility with Fighting Phishing

Antimalware companies have made many innovations for many decades in order to keep individuals and enterprises secure from cyber risks. However, human end-users are still considered the weakest part of the chain in the IT security space. As computing technology becomes more complex, end-users are expecting better designed interface, enhanced with more automation technologies to hide this complexity. Everyone expects things will be in good order and condition, every time all the time.

However, we do not live in an ideal world of computing not everyone can be trusted, and as humans, we tend to decide based-on emotion and not all of us will go through the logical step or resolving a problem like a trained system administrator would. This human vulnerability is being taken advantage of by cybercriminals in the form of phishing. Messages designed to look legitimate and sound genuinely coming from the authoritative source. But with careful reexamination, it was just a front in order to deceive people into releasing their login credential to an outsider. Phishing through email is very common, they usually arrive as nothing but spam messages, junk emails with no specific targets, but hope to dupe as many gullible users as possible.

Who is winning?

Of course, the email providers are not leaving their users on their own devices without a way to fight phishing carried by spam messages. Gmail, for example, gives users the ability to mark a specific email as “Junk”, and by doing that the email is automatically moved to the Junk Folder where it is basically quarantined from the rest of the mailbox. Taking this approach both empowers the users to fight back, but it somewhat manual in nature as Google let the users decide what to block or what not block.

For a huge company that embraced computing innovations for around two decades, how can Google afford to let the user decide for themselves what to mark as spam? Google does this not to make people upset, but rather it is designed as a “crowdsourced” system. If a particular emailed message has been flagged as “Junk” by a critical mass number of people, Gmail remembers it for the future and makes an automated rule to block it going forward.

This benefit not only the users that made the individual decision to mark the message as “Spam”, but also those who don’t. The moment a critical mass have reported the spam message, it will be blocked by Gmail permanently. This is not unique with Gmail, as Microsoft Outlook.com and Yahoomail.com also started their own version of the “crowdsourced” anti spam and anti phishing algorithm. Humans are good at detecting suspicious stuff if we take it seriously and accept the responsibility fully. Future email users will have lesser things to worry about, and more people will not fall for phishing attacks.

In the near future, Artificial Intelligence can be used in order to rescan the crowdsourced spam/phishing database in order to predict a newer version of Phishing through spam email. But there is no guarantee that nobody will actually fall for phishing attacks, as people are normally curious. If every million spam and phishing emails being sent regularly, someone somewhere will be misled.

The industry itself did not stop finding ways to enable a safer environment, even before the age of 24/7 communication networks. FTC’s National Do Not Call Registry has been set up, as to stop the precursor to the email scam and phishing, scammer phone calls are done by fly-by-night telemarketers. No legitimate marketer can ignore the DNC list, as it is unlawful to continue telemarketing with leads that are sincerely requesting not to be contacted again. The DNC system, unfortunately, is flawed beyond effectiveness, as it is like asking scammers to identify themselves before contact with their target is established. A known database of fly-by-night telemarketers is not effective, as they always have the option to rename themselves, change their phone numbers and identity, then repeat the scamming process all over again.

Software as secondary protection

Aside from humans being the front liners against online scammers and phishing attacks, the software can be employed to protect the email systems. The algorithms that automatically protect the end-users are employed by the software developer themselves because the bottom line is they are responsible to keep the users safe with the use of their software. It is part of the service contract for them to harden the computer or the mobile device, as they claimed. Unfortunately, this added layer to the users day-to-day tools comes with the price of a bloated computer or device. Security software runs in the background all the time, and resources it uses are not available for the end-user applications.

The future

As there is money to be made through phishing and online scamming, cybercriminals continue to devise new ways to convince end-users. It is a never-ending cat and mouse chase, given that scammers have a new platform like taking over one’s bank account or through employing ransomware to extort money from users.

The only way to keep the bad guys at bay is for software developers to program defensively. There should always have an assumption that someone will take advantage of a feature that is originally designed to make the user feel comfortable with the program. Developers have to think like a criminal, in order to prevent their software from being exploited by criminals. There is no harm to go back to the drawing board, and admit that contemporary solutions are only for contemporary problems. Future solutions must be created from the ground-up to anticipate future problems.