BLUF

Bad actors’ use of phishing in many forms to gain access is common. Phishing used against people with vision-related disabilities using assistive technology requires further conversations and considerations. Simplification for screen enlargement and what can be discerned by screen reading app users will need included in cyber training and awareness programs to mitigate potential risk.

Background

Despite decades of developing security practices to protect organisations, phishing is still one of the most prevalent means for bad actors to gain entry. We run exercises, employ vendors, implement and monitor authentication protocols, install response tools, and sometimes get creative to relay the message ‘be wary of messages’. Statistically speaking, phishing is a big deal. The following were posted at the end of 2020.

1. 97% of the users are unable to recognize a sophisticated phishing email.
2. 95% of all attacks targeting enterprise networks are caused by successful spear phishing.
3. 1 in every 8 employees shares information on a phishing site.
4. More than 60,000 phishing websites were reported in March 2020.
5. The creation of around 1.5 million new phishing sites is witnessed every month.
6. Only 3% of the users report phishing emails to the management.
7. A single spear phishing attack results in an average loss of $1.6 million.

The use of phishing in cyber attacks is common, but may not present any further risk for many with low vision. Increases in font size on the screen may still allow for links to be seen, revealing discrepancies in sender information and views of links before clicking.

The challenge becomes more difficult with adaptations to simplify on-screen clutter to aid the visually impaired. These are often done within accessibility settings for shopping (e.g. on Amazon) or social media platforms. In working environments, it should be a consideration transparently discussed, preferably during onboarding. Neither the organisation nor the new employee wants to incur additional risks, but recognising and addressing them will help mitigate.

For the blind, the risks are a bit greater e.g. utilising read-aloud screen reader programs may not recognise the need to address security. The desire for creating software and integrating it into office products for inclusion of those needing it is quite a challenge, making it difficult to add layers of further complexity. However, the need to address security concerns and constraints remains. As an example: spear-phishing is sophisticated related to the attacker’s understanding of targets – for someone using a screen reader, it might mean the use of a homonym domain name rather than a visibly close approximation. We need to address the possible, as bad actors are not known for moral considerations in their decision-making.

Inclusion is not simply accommodation. It needs to address the same issues from a variety of vantage points. Cyber security needs addressed for every- and anyone in an organisation. We need these conversations to find solutions.

-scl

(This post is the second in a series on cyber considerations in assistive technologies. The first one in the series can be read here.)