Almost every day, my spouse and I have a conversation about spam. Not the canned meat, but the number of unwelcomed emails and text messages we receive. He gets several nefarious text messages a day, while I maybe get one a week. Phishing emails come in waves — right now, I’m getting daily warnings that my AV software license is about to expire. Blocking or filtering has limited success and, as often as not, flags wanted rather than unwanted messages.

Our ritual of comparing phishing attempts acts as informal security crowdsourcing. While most of these messages are clearly a poor attempt at social engineering, something realistic seeps in every so often.

So we talk about it. We review basic security practices. Just one wrong click could have a devastating impact on his work network.

We all know that phishing and malicious messages have been effective attack vectors since the earliest days of the internet, and yet users continue to fall victim. Spammers and threat actors know that recipients of these messages will continue to fall for their schemes.

What helps threat actors and hurts the rest of us is the inability to do anything to stop phishing attacks. It’s not just a matter of filtering something to go into the junk folder.

What will make a difference is the ability to take the information about malicious messaging and report it back to communication providers, network administrators and security teams so everyone can work together to eliminate threats.

Crowdsourcing security is common

Using crowdsourcing as a way to prevent phishing attacks builds on other popular crowdsourced security methods. Large tech companies have used bug bounties for years, with monetary rewards offered to users who find vulnerabilities in their systems.

The more people who look for something, the greater their chance of finding it. This is the theory that crowdsourcing is based on. Some organizations see crowdsourcing as ongoing penetration testing, and if the rewards are high enough, users will continue to be watchful for potential bugs in the system.

But as we’ve seen repeatedly, what works for security works for the bad guys as well. Threat actors also use crowdsourcing for cyber crime.

“Cyber crime is just crowdsourced security but without any of the ethical elements. The reward structure mimics the way that cyber crime operates more closely than traditional security testing methods,” explained a blog post from Detectify.

Crowdsourcing phishing shows promise

A study conducted by ETH Zurich found that the exercises used to train users to recognize phishing attempts have the opposite effect — rather than becoming resilient, users become more susceptible to falling for nefarious messaging. What does work, the research found, was crowdsourcing through collective phishing detection.

“Such crowdsourcing allows fast detection of new phishing campaigns, the operational load for the organization is acceptable and the employees remain active over long periods of time,” the report stated.

When a “Report Phishing” button was added to an email platform, the study found that users would report suspicious emails within five to 30 minutes of receipt. Users were fairly accurate in detecting a potentially dangerous email: they were right 68% of the time for a phishing attack and 79% when spam was included.

Even better, there appears to be no reporting fatigue for users and little burden to organizations adopting a crowdsourcing system. The quick response from the users means that security teams can address the threat quickly.

The bigger picture of crowdsourcing security

Crowdsourcing goes beyond internal security. The ultimate goal is to leverage information from individual users to detect and prevent phishing attacks on millions of users within a network.

For example, with the release of iOS 16, users have the ability to report spam sent through iMessage directly to Apple. This won’t prevent the sender from sending messages, but the user’s device will block further messages once reported. It’s an option that has been available on Android devices for a while.

MSSPs and security vendors are using tools and applications that share phishing information across their network of clients. When one user or company reports a suspected phishing message through the tool, this information can benefit investigations of similar attacks against other organizations and stop potential threats.

The federal government also encourages crowdsourcing phishing information. On the Federal Trade Commission’s phishing information page, users can take a quiz to test their knowledge of phishing attacks and are urged to forward phishing emails to the Anti-Phishing Working Group (APWG) at [email protected]. APWG analyzes this data to build phishing activity trend reports. Organizations can see the type of impacts phishing attacks have — what industries are seeing the most attacks, how the attacks are happening and the type of malware (mostly ransomware) affecting networks — and then use the information to offer the best security plan for their needs.

Crowdsourcing security helps keep your organization safe

Sharing data surrounding phishing attacks and other types of malicious messaging allows organizations to develop more effective cybersecurity defense systems and increases overall security awareness. As the ETH Zurich study showed, traditional methods of phishing awareness training have been found wanting. Actively engaging employees to not only know how to spot phishing attacks but also to properly report them will increase their own sense of ownership in the organization’s security posture. Once more invested, they are more likely to use better security practices more consistently. In the long run, this helps organizations reduce costs related to cyber risks.

When done right, crowdsourcing security is an effective cybersecurity tool, especially for phishing and malicious messaging attacks.

More from Incident Response

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…