Even the world’s greatest cybersecurity is no match for human error

People's tendency to fall for phishing scams is a chink in cybersecurity that technology has not yet been able to overcome.

 Cyber attack (photo credit: INGIMAGE)
Cyber attack
(photo credit: INGIMAGE)

The cybersecurity field is one of the most prominent in the Israeli hi-tech sector, having last year accounted for $4 billion in company exits in Tel Aviv alone. Likely due to the pipeline of IDF Intelligence units to the business world, there is a constant slew of fresh innovation in the cybersecurity space coming out of Israel.

While cybersecurity companies have consistently made leaps and bounds to develop new ways to protect users’ privacy, data and information, there has always been one major problem that has eluded their innovation and may continue to do so for the foreseeable future: People are pretty stupid.

The human factor has been and will remain the weakest link,” said Ziv Cohen, CEO of cybersecurity start-up Paygilant and a member of the Israel Fintech Center. In an interview, he explained why careless human action has always been a chink in the latest and greatest of cybersecurity armor.

“It’s just really easy to lure a person to transfer money to your account. It could be a very traditional and old type of attack, such as the Nigerian prince scam, or offering you something, and convincing you to transfer money; but it's [always] very, very effective.”

Ziv Cohen

“It’s just really easy to lure a person to transfer money to your account,” he said. “It could be a very traditional and old type of attack, such as the Nigerian prince scam, or offering you something and convincing you to transfer money. But it’s [always] very, very effective.”

These kinds of bait-and-switch attacks are referred to as phishing. Cohen described them as “a combination of technology and psychology,” and since the dawn of the Internet, they have been one of the most productive methods of remote theft. But there are still some approaches to mitigate the damage they can cause.

Projection of cyber code on hooded man (llustrative) (credit: REUTERS/KACPER PEMPEL/ILLUSTRATION TPX IMAGES OF THE DAY)
Projection of cyber code on hooded man (llustrative) (credit: REUTERS/KACPER PEMPEL/ILLUSTRATION TPX IMAGES OF THE DAY)

How can technology help this issue?

“From a technology point of view, what’s required is to look at the big picture and not just work in silos,” Cohen said. “When we look at how technology can help here, it’s a combination of multiple layers, working in conjunction, in real time, to really get this complete and accurate picture of the likelihood that a transaction or transfer of payment is fraudulent.”

It involves device identification: to look at the device, to ensure that this device is known, no fraud has ever been committed from it, that it belongs to the right person, and it looks legit,” he said. “Think about the phones that you currently hold in your hand. You use this phone for your regular daily activities, you make phone calls to your friends and family, you have your contacts, you connect it to Wi-Fi networks, you have your Bluetooth devices connected to it, so it looks like a phone that a legitimate person uses – as opposed to fraudsters, [who are] never going to make a phone call to their mom from the same phone they’re going to launch an attack from.”

Paygilant is one of several companies implementing a host of methods to prevent classic phishing scams. But ultimately, it all comes down to personal responsibility.

On that note, Benny Bitton, a sales engineer at cybersecurity company Inocom, listed two simple best practices to keep in mind while browsing: “Do not click any URL that isn’t familiar – those URLs [could] redirect the end user to a malicious site; and do not open any file from a person you don’t know – they could contain malicious files, ransomware” or something even worse.

Advertisement

According to Cohen, preventing phishing is “a combination of detecting fraudulent activities and alerting users… But at the end of the day, user operation is critical.”