Here's Why Phishing is Getting Worse

Category: Security

Webroot, a computer security company, conducted a phishing survey last August, and asked 4000 office professionals about their email habits. The results may be surprising, but they shed light on why phishing attacks are increasing, both in the home and in the workplace, and how to protect yourself from this threat. Read on for the scoop on phishing...

Phishing Attacks: Sneaky and Effective

When questioned about their email habits, most people think they're pretty good at sniffing out phishing -- those potentially spammy, scammy, or malicious links. If it came from a Nigerian prince, had lots of typos and bad grammar, or asked for personal information, red flags pop up right away. But phishing attacks are getting increasingly clever, and harder to distinguish from legitimate messages.

In the workplace, it's becoming more common for an employee to receive an urgent message that appears to be from their boss or a customer, demanding some sort of immediate action. And on the homefront, more users are reporting phishing attacks that look like they're from a friend or family member. And these attacks are working.

Even though 9 of 10 professionals in the sample believed they could differentiate between a phish and a legitimate email, about 60% of the survey respondents admitted they have clicked links in emails from unknown senders -- the most commonly used method to steal credentials or infect a computer with malware.

Why Phishing Attacks Work (and are getting worse)

Malicious links are often disguised as legitimate, which is why it's so important to verify the destination before clicking. Simply hovering the mouse pointer over the link without clicking will reveal the actual address. If you're not 100% sure it's okay to click, put down the mouse and back away from the computer. But the Webroot study showed that 57% of office workers did not routinely verify links before clicking, which may account for the frequency of data breaches.

Dr. Cleotilde Gonzalez, a Carnegie Mellon University research professor who consulted on the survey, says the primary factors that make people click are “urgency, familiarity, and context.” Dr Gonzalez explains why people are often tricked into thinking a rogue email is legit: "If you already expect to receive emails from your boss at your office (context and familiarity), and you are accustomed to messages that request quick action (urgency), then you are likely to assume the message is real. It might never occur to you to suspect that it could be phishing."

You'd think that if someone knew for sure they had been compromised as a result of a phishing attack, they would take steps to lock down their accounts. But one third of those who admitted to having information stolen, didn’t change their passwords. That's shocking, but there may be a good explanation. An earlier Webroot survey showed 34% of users reported having more than 15 online accounts, and some with more than 30. With a dozen or more logins to remember, it's difficult to maintain strong, unique, passwords for all of them. That's why many people reuse passwords across multiple online accounts. Password manager software can be a big help here. If you know you only have to change ONE password, the job of cleaning up after a phishing attack is much less daunting.

Another takeaway from the survey was that users don’t realize all the different forms that phishing attacks can take. Less than half of workers identified phone calls, app notifications, or postal mail as possible phishing vectors.

What Really Gets People To Click?

Scammers take advantage of the fact that employees are eager to please their bosses. In the survey, users were asked " Which of the following messages would you be most likely to open first?" Here are their answers:

An email from my boss 60%
A nice message from a family member or friend 55%
A request from my bank to confirm a transaction 31%
A discount offer from a store 28%
A link to a video from a friend or family member 27%
A prompt for me to verify/authenticate my account 25%
A notification about a fine 19%
Instructions to confirm my billing address 18%
A subpoena or legal request 16%
A link to a funny meme 13%
A message claiming to contain adult content 9%

Tips For Staying Safe From Phishing Attacks

The report concludes with some tips to prevent phishing attacks, and increase the chances of successful recovery if it does happen. Not surprisingly, the advice corresponds with many of the computer security tips I've published here on the AskBobRankin site.

The full report Hook, Line & Sinker: Why Phishing Attacks Work is available if you want to dig deeper. Bottom line, cybercriminals bank on your overconfidence and complacence. Be vigilant and wary of ALL links and attachments in emails messages, to decrease (or completely eliminate) your risk of being phished.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 14 Jan 2020

For Fun: Buy Bob a Snickers.

Prev Article:
Yes, You Can Still Get Windows 10 For Free

The Top Twenty
Next Article:
Geekly Update - 15 January 2020

Most recent comments on "Here's Why Phishing is Getting Worse"

Posted by:

Elana Grunder
14 Jan 2020

Another insightful article, Bob! Thanks for keeping us updated on the latest threats, and all the tips for staying safe.

Posted by:

14 Jan 2020

Thanks! I just do not click on links. Boss is not always happy but it works for me.

Posted by:

Hubert Brochard
14 Jan 2020

Thank you Bob! I almost got caught on a friendly looking e-mail pretending this friend's girlfriend was sick. Luckily for me, I got suspicious when he started asking for money.

Posted by:

Sandy Jewell
14 Jan 2020

I find more phishing occurs through Facebook posts. They look tempting because maybe you can win something. Click in, give them some details and you will receive phishing emails for weeks.

Posted by:

14 Jan 2020

If you send someone a link, be sure to describe it in specific terms that tie it to you.
Not the phisher's favorite "thought that this might interest you" but "here is the video of the XXXXX robotics team at the qualifier last saturday"
A spammer cannot come up with a lot of specific detail or they will be a dead giveaway to almost everyone that it is not related to them.
Our company sends out phishing test messages to see if people hit the report a phish button.
Don't know how often or if the suspicious messages I tagged were test or real. No feedback is probably an indication that I have tagged real phishing or tests.

Posted by:

14 Jan 2020

People should proceed as if there is a phishing attack out there that will get even them and always be vigilant. I could withstand the sweepstakes winnings, the credit card re-registration, and many other attacks. What hooked me was the email that said my credit score had been damaged. I clicked on the link without even thinking and my reward was a virus-laden laptop.

Posted by:

14 Jan 2020

Within the last few weeks "Amazon" reported freezing my account, twice. I forwarded the emails to Amazon and was assured my account was not frozen. Damn those emails looked valid. No spelling or grammar errors. Lots of "Amazon" detail. Yes, Bob, the phishers are getting more sophisticated.

Posted by:

14 Jan 2020

Does anything actually happen to those emails reported as "phishing"? (And if so --- what?)

Posted by:

15 Jan 2020

I almost fell for an email from DHL saying they could not deliver my package because the maining address was incorrect. It had a handy link to edit the address. I hovered over the link, but I could not determine for sure if it was or was not legit. So, I called DHL and they confirmed they do not send such emails and it was definitely a hoax.

Also, the hovering advice is okay, but you must carefully look for sneaky lookalikes. One wrong character in a long url could send you where you do not want to be.

Posted by:

15 Jan 2020

You state that grammar is important yet your writing contains an incorrect use of a pronoun. You wrote the following: In the workplace, it's becoming more common for an employee to receive an urgent message that appears to be from their boss or a customer, demanding some sort of immediate action.
Employee is singular. You referred to it with the pronoun their which is plural possessive. It doesn't make sense. It begs the question 'who are they?'
Unfortunately this kind of error is so common no one notices, which further advances the degradation of the English language.


Posted by:

15 Jan 2020

Password managers are NOT convenient.
Never seem to work seamlessly for me.
So many irritations too numerous to mention here.
Also "back up" - what where how, none of the efforts I have tried are simple, there is usually no simple test to ensure the back up is complete.
None are very practical solutions for the average user which is why compliance is so poor.

Posted by:

15 Jan 2020


Sorry but Bob's English grammar is much better than yours !! 'Their' is both a singular and plural pronoun

Posted by:

15 Jan 2020

I received an email today claiming to be from Amazon and it had a PDF attachment. It seemed a bit odd to me that they would send a PDF file so I took a close look at the email address. It was from (not I immediately deleted it.

Posted by:

Bob Stromberg
15 Jan 2020

Three points:

1. As a private individual, if you did not initiate ANY communication, you need to be suspicious. ANY = text, phone call, email. DO NOT ANSWER. Check using a different "channel" -- make a phone call or enter a URL directly.

2. As a worker whose job it is to respond to work-related emails, learn to use the mouse to hover over a link and READ THE LINK.

2a. How do you "hover" over a link on a touch-screen only device (iOS, Android, Windows)? The link preview you get can be tailored by the web site developer.

3. Take the following quiz to hone your ability to spot fake links:

Posted by:

Bob Stromberg
15 Jan 2020

@Therrito: " (not"

Great example of "typosquatting." Thanks!

Posted by:

15 Jan 2020

Great information. I suggest everyone use a password manager. I personally do not like the online password managers. Just does not feel secure to me. I use a program called eWallet. It is a locally installed program that allows me to sync with my mobile devices over my home network. There is a one time fee but it is worth it.
I also like KeepPass which is free.

Posted by:

15 Jan 2020

I received an email from an “ECODE” credit checking company my CREDIT UNION had contracted back in 2014 to check all (?) of our credit checkers. I have saved those monthly emails since and this was the first one that said “ALERT”. So I checked with my CU and they said the phone # was good so I called and they knew of my account back to 2014 and saw the “ALERT” this month.
BUT I had never activated the account which was why I would not try to sign in until now, so with the assurance it was legit, I open an account and found the new car I bought last month on car company credit of $1000 off cost and at 0.0% for life of the loan, had caused the alert.

First time I decided to use the company’s money instead of the whole thing from one of mine.

Posted by:

20 Jul 2021

I have used LastPass for many years. I find password managers to be VERY convenient. Yes, there is a bit of a learning curve, but once you get the hang of it, you too will be able to boast to your friends and family:

"I have no idea what my Bank password is; I don't need to know."

And for the record, I truly don't know any of my bank or credit card passwords. I only know the MASTER password for LastPass: "the Last Password you will ever have to remember".

And PS: "their" is a pronoun for when gender is either unknown, both genders, or gender-irrelevant. "I don't know which person did that; their name is unknown to me."

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Here's Why Phishing is Getting Worse (Posted: 14 Jan 2020)
Copyright © 2005 - Bob Rankin - All Rights Reserved