Attackers Bet On People, Not Tech. Here’s How To Beat Them.

By The Numbers

The numbers tell us why it’s more important than ever to ignore the siren call of yet another AI-powered technology cyber silver bullet.

“The average claim frequency of customers with email security solutions saw a relative increase of 53% year-over-year,” noted the recent report from At-Bay. 

Many of these security technology approaches are excellent, but their value-add is in reducing the number of attacks that get through, not eliminating them all.

Here's the thing: if you turned up all the settings on the best e-mail filters, they’d stop more attacks at the cost of a much higher ratio of false positives. This results in more blocked legitimate e-mails that are important to the organization.

There’s always a trade-off. E-mail filters are important, but they are only ever 95-99% effective. We’ve seen the rate go as low as 90% in some months; a lot of potential threats get through and always will. That’s why we need technology and people working together as an integrated multi-layer defense.

Shifting Threats Bypass Old Approaches

The At-Bay report also highlights that cyber-attacks using e-mail aren’t just about delivering malicious links or attachments anymore. Those still happen, a lot. But many attacks now look to start a fraudulent financial transaction; they are known as a Business E-mail Compromise (BEC) attack.

“Email fraud is now one of the biggest drivers of losses, yet most security tools are still focused on phishing links and malware,” said Adam Tyra, CISO for Customers at At-Bay. “Our claims analysis shows nearly all email security solutions performed worse in 2024 and are failing to catch AI-driven fraud emails that look legitimate. Providers must pivot to fraud-specific detection, or companies will keep losing money.”

BEC fraud cost more than $6 billion last year in the US: more than six times the total global haul for ransomware.

Stopping BEC is much harder than filtering for classic phishing.

AI Is Making The Problem Worse.

With generative AI, attackers can send better phishes of all types to their targets. And the growth of phishing-as-a-service platforms using AI means even the most basic cybercriminals have an extremely effective attack tool.

These systems can literally launch a few million attacks within minutes and change their methodology before the initial attack’s techniques can be shared.

Layered Defense: People & Technology For The Win

That’s why it’s more important than ever to not just train people on what to look for, but to make sure they’re motivated to look for it.

Educating people using the right training approach, delivery method, and frequency works. For example, teaching emotional intelligence and critical thinking can reduce the chance someone will engage with a malicious e-mail by 50%.  

Even the most sophisticated software defenses today cannot replicate a human’s gut feeling that something isn’t right. The key is teaching people to listen to this feeling and to set themselves up for success: avoiding rushing through e-mails and alerting the right people when something seems off.

Keeping people motivated also means making sure they’re positively recognized when they do the right thing (spotting and reporting phishing and other security concerns). It also means being careful to avoid punishing people for mistakes, as that can lead them to be hesitant and fearful to report concerns. Want to learn more? Our report on rewards-and-consequences models dives more into the do’s and don’ts of motivating people to spot and avoid threats.

If a team believes that e-mail filters always work, they are 80-140% more likely to click on a phishing link than a team that believes security tools are important, but not infallible.

It’s crucial to have a balanced view on what technology can and can’t do to protect your people.