One of the most common ways for cybercriminals to gain access to sensitive data on enterprise networks is through phishing. It has recently been revealed that the UK is the world’s the UK is the target of more phishing than any other country, and the technique featured prominently in the Red October espionage campaign, and attacks on the New York Times.
Phishing is a method where cybercriminals send spoofed emails to try to trick recipients into doing something they shouldn’t. They can also provide hackers with access to corporate networks in order to acquire sensitive information such as usernames, passwords or R&D information.
However, the success of a phishing attack is largely determined by the target’s level of security awareness.
PhishMe provides phishing awareness training – and we have tracked the responses of more than 3.8 million users to find the level of awareness. We found that around 60 percent of people will fall for a phish if they have never been trained to recognise the signs of a phishing email.
However, trained employees will find it much easier to spot a phishing email. They will know to look at the underlying URL, not just the displayed text, to see where it is actually coming from. They will also look at email headers to try to understand if the email address has been spoofed.
In the UK, PhishMe recently commissioned a survey of 1000 office workers to help understand the scale of phishing in this country. The results revealed that:
Not only do these findings reveal that UK office workers are being swamped daily by phishing emails, they also show that technical controls are failing to stop these messages as they pass through security appliances. Emails are ending up in users’ inboxes, and for many companies it is purely down to luck if that employee responds.
One of the most sophisticated types of phishing attacks is called spear phishing. This is when a hacker will target a specific group or organisation and will tailor their attacks to make them look relevant to the recipient. Hackers will carry out these types of attacks in order to gain access to sensitive corporate data, and because the emails they send will look genuine they can often be very successful.
However, despite these worrying statistics there are a number of steps which can help to identify potential phishing emails. When receiving emails, users should look at the following:
Are you expecting a message from the person? Does the email look suspicious? Does the link look genuine?
The content of the email can be a giveaway. One of the most basic reasons that phishing attacks work is that they prey on a user’s emotional response – fear, curiosity or reward, and emails that evoke strong emotions such as these should be considered triggers.
Is the email specific? Does it make sense? Although criminals have a lot of information about individuals they will still keep messages generic to pique your interest, and make you take action.
And of course, while grammar has improved in recent years, mistakes are often an indicator that all is not as it seems.
Phishing is one of the most common attack methods for cybercriminals, however an effective training program and user awareness will minimise the risk of employees falling victim.
Once employees know what to look for they will be able to quickly identify any potential phishing emails and report them before any damage is done.
What do you know about online security? Try our quiz and find out!
Scott Gréaux is VP of product management and services at Phishme.
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…
View Comments
Training is not very effective. First, as the author states, people don't devote a lot of attention to email processing. This has been been scientifically demonstrated by Prof. A. Vishwanath in "Why do People Get Phished?"
Second, APT emails are carefully crafted to appeal to your job function, not greed or fear or such. The recent aerospace industry emails about a conference schedule. The routine looking HR email that damaged RSA. The missile attack emails to the Israeli police.
The bad guys know that people are on the look-out for suspicious emails -- that is why the bad guys engaged in APT attacks don't send suspicious emails. Just like they don't use last year's viruses. http://www.nytimes.com/2013/01/01/technology/antivirus-makers-work-on-software-to-catch-malware-more-effectively.html?_r=0
Training is much like AV software -- it makes you feel good.
Great post. I just wanted to let your readers know that PhishMe has now rebranded as Cofense.
Great post. I just wanted to let your readers know that PhishMe has now rebranded as Cofense - https://cofense.com/