PhishMe, a provider of anti-phishing training services, stressed the importance of education to prevent phishing and refuted Web security firm Trusteer’s recent claim that education is not enough to prevent social engineering attacks.
In a Tuesday press release, PhishMe of New York City and Chantilly, Va., said it opposes a message from a Trusteer study that “continues to perpetuate the misconception that technology alone is the answer.”
Since phishing attacks “focus on the human element to ensure success,” organizations should not rely on technology alone as a prevention mechanism, the company said.
New York City-based Trusteer staged a phishing attack last month by sending e-mails listing LinkedIn as the sender to 100 subjects, 68 of whom “failed” their test by clicking on a link included in the e-mails. Trusteer said its experiment demonstrated that fraudsters can easily fool e-mail users and education is not a sufficient way to halt phishing attacks.
In their rebuttal, PhishMe executives said 68% is not a high failure rate for users who don’t know how to spot phishing and that the same 100 subjects should have been re-tested after completing an anti-phishing education session.
“While we can agree with (Trusteer’s) claims of social engineering making it ‘easy to drive corporate users to fake websites that could potentially download malware onto their computer,’ it is the way they draw their conclusion, their methodology, and their claim that only a technological solution is the answer that we take issue with,” PhishMe CEO Rohyt Belani said in the press release.
“Companies need to be proactive in educating their customers to ensure they know what to look for to effectively reduce the risk of falling victim to phishing attacks,” he said.