It deosn’t mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe.

One of the common recommendations in security awareness training for identifying phishing emails is to check that email addresses and domain names are correct. So microsoft.com is that, and not some close derivative (like microsott.com or M1CROSOFT.COM) and it’s actually paypal.com not paypa1.com. Small changes in email addresses and domain names can signal big trouble ahead (e.g., BEC incidents that result in paying the wrong person), and it takes a snazzy piece of brainwork to consistently identify those subtle changes. Slow down, read the address carefully, and then proceed with caution. That’s the general advice.

While snazzy brainwork is helpful in detecting new cyberattacks, the way our brains work can undermine the very outcomes we’re trying to achieve. As with the headline for this post, many of you can quickly read what’s written, and while the first couple of words may take a millisecond longer than normal to get, the subsequent ones get progressively easier. Optical illusions provide a second category of examples where what looks reasonable on first glance becomes more complicated on the second.

Hence, with respect to security awareness training, the advice to check the email address and domain name is sound but flawed. We would want someone to see that memcosoff.com was not microsoft.com, but we should not be surprised when people miss the difference between slight variations. Yes, the differences between paypal and paypa1 may be clear and obvious in retrospect, but to write people off due to missing the differences when their brain actually creates the signals it expects to see is disingenuous.

We’re a great advocate for email security solutions that use anomaly detection (and similar techniques) to do the heavy lifting in identifying subtle changes in email addresses and domain names. Textual analysis for near-matches, unusual patterns in combining sender names with email addresses, and the like provide a level of machine-precision that brains can’t match (and that’s okay, since brains are good at other things). Asking your people to check these details is fine, but don’t do so without using the best of what’s now available to detect, highlight, and remediate cyberattacks predicated on subtle differences that brains will often miss.

There’s a lot of good data and vital recommendations in the white paper based on what we found from the survey. Get your copy from IRONSCALES and scan the key findings on page 2, and then dive into what is of most relevance to you. In this article, what I want to focus on is the eureka moment as we looked at the data.

Consider this finding from one of the questions in the survey: more than 70% of respondents self-assess their current email security stack as highly effective at detecting image-based and QR code phishing attacks. This is from IT managers, IT team leads, IT security managers, email security managers, email security administrators, etc. These are the men and women on the front lines that are deeply involved in securing their organization against traditional, new, and emerging phishing threats – such as image-based and QR code phishing attacks. While that means 30% are less than confident in the efficacy of their detection capability, 70% out of the gate is a pretty high benchmark.

But then juxtapose that finding with another one: only 5.5% of respondents said their current email security defenses were able to detect and block all image-based and QR code phishing attacks from reaching user inboxes. That means 94.5% had one or more of these new types of phishing attacks flow through their email defenses to an employee’s inbox, and based on that happening, 75.8% of organizations experienced a compromise of account credentials or exfiltration of sensitive information due to image-based or QR code phishing attacks over the previous 12 months. In comparison to the data point above, that’s quite a low benchmark of battle-tested reality. It could be the tale of the one that got through, but that doesn’t make logical sense if 75.8% of organizations experienced a compromise based on just one that slipped through. Many, many of these attacks must have made their way through to inboxes, and someone or someones at each organization got phished.

On that note, better cybersecurity awareness training and phishing simulations based on real-world examples of image-based and QR code phishing attacks was a highly ranked strategic intent across the organizations we surveyed. If attacks will get through, make sure employees know what to look out for. But equally / in parallel / it’s not one or the other, augmenting current email security defenses is just as essential. People plus tech work in combination; it’s not either/or.

We will be joining IRONSCALES for a webinar on April 11 to dive into the findings. There will be Q&A … so please register and attend to have your questions answered.