Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Mindfulness and Phishing Resistance
How many emails do you receive in a day? 50? 150? 1,500?
Do you sometimes find yourself processing all those messages automatically, rapidly deleting as many as possible and trying to respond ASAP to items that are appear easy to get out of your box?
Maybe think about slowing down.
If you're reading this blog, you know that phishing is the main avenue for ransomware and account takeover attacks. You're familiar with most of the rules that can keep you safe from phishing: don't click through on emails from unknown senders, look at return addresses, watch out for a sense of urgency, et cetera.
You're adept at following those rules. Maybe you have aced your organization's phishing simulations. Not only the easy ones, like "Congrats. You are the employee of the month. Click here," but also the tricky messages with a direct relationship to your job content.
So now it's time to talk about the role of overconfidence—yours and mine—in our ability to identify phishing emails. That overconfidence could lead to a lack of attention.
I got to thinking about overconfidence after reading some reports of research projects that use phishing simulations to try to understand whether personality traits or demographics are associated with phishing susceptibility. I repeatedly saw words and phrases like "impulsive," "deficient self-regulation," "attention control," and "not paying attention."
Which led me to this experiment finding that training in mindfulness techniques reduced the likelihood that university students would fall for a mock phish. Students already trained to know the anti-phishing rules were divided in two groups. Half received additional training on the rules. Half received mindfulness training.
The mindfulness training took a step back from the specific phishing rules. "Mindfulness training cautioned individuals against quickly responding to e-mail requests and encouraged them to stop, consider what e-mails ask them to do, and then take appropriate action." It was about following a process, not following a rule. The authors point out that environmental awareness and an understanding of potential consequences in that environment are key aspects of mindfulness.
Is there a role for mindfulness in your organization's anti-phishing program? In May, my colleague Scarlett Heinbuch wrote about the impetus to hurry when encountering a payment problem at checkout. For phishers, a similar impetus to hurry creates opportunity. Before you click, pause—take a breath—exhale—take another breath. Only then should you decide whether or not it's safe to click.