From Why Your Brain Can Read Jumbled Letters:
It deosn’t mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe.
One of the common recommendations in security awareness training for identifying phishing emails is to check that email addresses and domain names are correct. So microsoft.com is that, and not some close derivative (like microsott.com or M1CROSOFT.COM) and it’s actually paypal.com not paypa1.com. Small changes in email addresses and domain names can signal big trouble ahead (e.g., BEC incidents that result in paying the wrong person), and it takes a snazzy piece of brainwork to consistently identify those subtle changes. Slow down, read the address carefully, and then proceed with caution. That’s the general advice.
While snazzy brainwork is helpful in detecting new cyberattacks, the way our brains work can undermine the very outcomes we’re trying to achieve. As with the headline for this post, many of you can quickly read what’s written, and while the first couple of words may take a millisecond longer than normal to get, the subsequent ones get progressively easier. Optical illusions provide a second category of examples where what looks reasonable on first glance becomes more complicated on the second.
Hence, with respect to security awareness training, the advice to check the email address and domain name is sound but flawed. We would want someone to see that memcosoff.com was not microsoft.com, but we should not be surprised when people miss the difference between slight variations. Yes, the differences between paypal and paypa1 may be clear and obvious in retrospect, but to write people off due to missing the differences when their brain actually creates the signals it expects to see is disingenuous.
We’re a great advocate for email security solutions that use anomaly detection (and similar techniques) to do the heavy lifting in identifying subtle changes in email addresses and domain names. Textual analysis for near-matches, unusual patterns in combining sender names with email addresses, and the like provide a level of machine-precision that brains can’t match (and that’s okay, since brains are good at other things). Asking your people to check these details is fine, but don’t do so without using the best of what’s now available to detect, highlight, and remediate cyberattacks predicated on subtle differences that brains will often miss.
Leave a Reply