Federal Reserve Bank of Atlanta

11/29/2021 | Press release | Distributed by Public on 11/29/2021 06:14

Mindfulness and Phishing Resistance

November 29, 2021

How many emails do you receive in a day? 50? 150? 1,500?

Do you sometimes find yourself processing all those messages automatically, rapidly deleting as many as possible and trying to respond ASAP to items that are appear easy to get out of your box?

Maybe think about slowing down.

If you're reading this blog, you know that phishing is the main avenue for ransomware and account takeover attacks. You're familiar with most of the rules that can keep you safe from phishing: don't click through on emails from unknown senders, look at return addresses, watch out for a sense of urgency, et cetera.

You're adept at following those rules. Maybe you have aced your organization's phishing simulations. Not only the easy ones, like "Congrats. You are the employee of the month. Click here," but also the tricky messages with a direct relationship to your job content.

So now it's time to talk about the role of overconfidence -yours and mine-in our ability to identify phishing emails. That overconfidence could lead to a lack of attention.

I got to thinking about overconfidence after reading some reports of research projects that use phishing simulations to try to understand whether personality traits or demographics are associated with phishing susceptibility. I repeatedly saw words and phrases like "impulsive," "deficient self-regulation," "attention control," and "not paying attention."

Which led me to this experiment finding that training in mindfulness techniques reduced the likelihood that university students would fall for a mock phish. Students already trained to know the anti-phishing rules were divided in two groups. Half received additional training on the rules. Half received mindfulness training.

The mindfulness training took a step back from the specific phishing rules. "Mindfulness training cautioned individuals against quickly responding to e-mail requests and encouraged them to stop, consider what e-mails ask them to do, and then take appropriate action." It was about following a process, not following a rule. The authors point out that environmental awareness and an understanding of potential consequences in that environment are key aspects of mindfulness.

Is there a role for mindfulness in your organization's anti-phishing program? In May, my colleague Scarlett Heinbuch wrote about the impetus to hurry when encountering a payment problem at checkout. For phishers, a similar impetus to hurry creates opportunity. Before you click, pause-take a breath-exhale-take another breath. Only then should you decide whether or not it's safe to click.

By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed