woman sitting at desk working on computer

A Fish Story: The Better Way to Defend Against Phishing

Business and vendor email compromise (BEC and VEC) threaten every organization. Employees, not technology, are the weakest links in security. Companies need to develop a security-conscious culture and train staff to spot and avoid email scams.

Past advice encouraged testing—sending internal phishing emails—to catch employees falling for scams. The idea was to test vulnerability and to create “teachable moments” to drive home training. But studies have shown that such testing hasn’t worked.

What’s a company to do? Tell a fish story.

Rick Wash, associate professor in the Information School at the University of Wisconsin-Madison, writes in the Wall Street Journal that the money companies have spent on training employees isn’t working. He recommends a different approach: storytelling.

Looking to arm employees better against phishing, including BEC and VEC, Wash conducted research. He found that “hearing about somebody else getting snagged by phishing, or narrowly avoiding it, makes people more likely to take security seriously and avoid the mistakes.”

From the study abstract: “We found that most people have learned lessons from stories about security incidents informally from family and friends. These stories impact how people think about security and their subsequent behavior when making security-relevant decisions.”

Furthermore, he says people retell such stories to others. So, a single good story has the potential to influence many people. “Understanding how non-experts learn from stories, and what kinds of stories they learn from, can help us figure out new methods for helping these people make better security decisions.”

Wash’s research report is available here.

Fish Stories: An Addition, Not a Replacement

You and your staff need to know about the threats of BEC and VEC. Instruction and training are essential. Employees must understand phishing, BEC and VEC—what they are, how they work, caution signs and detection methods.

Wash’s research suggests that actual stories of people getting burned are a very effective addition to training. They are more effective than internal phishing tests!

The power of story telling in human learning is well established. Stories make a more significant impact than mere fact because we identify with the teller or the subjects in a story. The story takes us into itself. It engages our imagination, and consequently, we “experience” the circumstances and events in a way that we don’t in a theoretical warning.

Vanessa Boris, a psychologist writing for Harvard Business Publishing, notes that stories are easy to remember. She cites Peg Neuhauser, another psychologist whose research found that people remember what they learn from a story longer and more accurately than from a presentation of facts and figures. Likewise, psychologist Jerome Bruner’s research found that facts are “20 times more memorable when part of a story.”

So yes, tell everyone the critical warning signs that should always put them on alert, such as:

  • Urgency: A request for a transfer of funds urges payment immediately.
  • Domains: The email originates from an unknown or spoofed domain.
  • Sender unavailable: Despite the urgency, you cannot reach the requestor.
  • Language and grammar mistakes: Syntax is slightly off—this may be subtle and missed by hasty reading, but beware, some attacks have correct spelling and grammar.
  • Multiple Emails: Multiple recipients receive the same email.
  • Incorrect Context: Emails are not in the standard context typically encountered in a transfer-of-funds request. Caution: In vendor email compromise, fraudulent emails appear in context.
  • Secrecy: The email sender requests that the transfer request be kept confidential.

But find someone in your organization who got fooled or even nearly fooled by an email scam and have them tell the story. It’s likely to have a much more significant impact. If they describe how they fell for the urgency, failed to look closely at the sender’s email domain or clicked a link too quickly, the others are more likely to grasp it and take it with them.

Forewarned is forearmed. And it turns out a story is better at forewarning than mere facts.

Contact us to learn how VendorInfo can help you avoid risks in exchanging vital vendor information.

Lets Talk!

Vendor Inquiries

— Simplified

Please enable JavaScript in your browser to complete this form.