Despite a number of reports over the last year indicating phishing scams continue to be a primary method of accessing personal information and breaching an organization, individuals continue to take the bait.
Intel Security recently released the results of their phishing quiz, which tests people for their ability to correctly distinguish a phishing email from a legitimate message from a stranger. The results indicate that only 3 percent of the 19,000 respondents worldwide were able to correctly identify all phishing emails.
Moreover, 80 percent of all respondents misidentified at least one of the phishing emails, which is all it takes to fall victim to an attack.
The respondents participating in the phishing quiz represent 144 different countries including from areas in the United States, Canada, Europe, the Middle East, Asia and Latin America. Of the 144 countries represented in the survey, the US ranked 27 overall in ability to detect phishing, showing 68 percent accuracy in detecting phishing attacks.
“Phishing emails often look like they are from credible sites but are designed to trick you into sharing your personal information,” said Gary Davis, chief consumer security evangelist at Intel Security. “Review your emails carefully and check for typical phishing clues including poor visuals and incorrect grammar, which may indicate that the email was sent by a scammer.”
Traditionally, phishing involves sending an email from a reputable institution and asking the user to provide personal information—such as names, credit card information, addresses, passwords and social security numbers—for the purpose of information theft. The email attachments often include malware that is downloaded onto the user’s computer and allows the hackers to easily steal personal information without the user’s knowledge.
The quiz presented 10 emails compiled by Intel Security and asked respondents to identify which of the emails were phishing attempts designed and which were legitimate. The survey found that the email most often misidentified was actually a legitimate email. The legitimate email asked the recipient to take action and “claim their free ads,” which people associated with phishing orspam.
Although phishing has been the standard method of accessing sensitive information and evading corporate defenses for over a decade, individuals continue to show lack of awareness for signs of scam emails.
Homeland Security Today reported in September that phishing continues to be a heavily used and effective mechanism for exploiting the weakest link in enterprise security: human behavior. A McAfee Labs Threats Report found that of the 16,000 business users tested, an alarming 80 percent failed to detect at least one of seven phishing emails.
While technology can assist in detecting malware, ultimately the burden is on the email recipient to detect fraud, making it essential that organizations implement better training in how to identify phishing attacks.
“Prevention is the way forward if we are to truly combat the array of threats we’re seeing appear on a daily basis,” said McAfee EMEA CTO Raj Samani in a statement.
To better protect an organization from becoming a victim of a phishing scam, Davis offered a number of recommendations. Individuals should take the time to inspect emails, looking for obvious red flags, such as misspelled words, incorrect URL domains, unprofessional and suspicious visuals, and unrecognized senders.
In addition, individuals and organizations should keep their security software and browsers up to date, hover over links to identify obvious fakes, and visit the company’s website rather than clicking on the link provided in the email.
Davis also emphasized that organizations should not click on any links in any email sent from unknown or suspicious senders, send suspicious-looking emails to friends or colleagues, download content that your browser or security software alerts you may be malicious, or give away personal information like your credit card number, home address, or social security number.
“The take away is this: we all need to work harder to learn how to spot phishing attacks, especially true when phishing sites are growing at a rapid pace,” Davis said in a blog post.
Furthermore, Homeland Security Today previously reported that the researchers behind Verizon’s 2015 Data Breach Investigations Report stressed the point that technological defenses will always be imperfect and that people are the key to effective mitigation of the phishing threat, since the human factor is one of the top security vulnerabilities facing organizations.
“Lessons not learned from the silly pranks of yesteryear and the all-but-mandatory requirement to have email services open for all users has made phishing a favorite tactic of state-sponsored threat actors and criminal organizations, all with the intent to gain an initial foothold into a network,” the report said.
