Here's Why Phishing is Getting Worse
Webroot, a computer security company, conducted a phishing survey last August, and asked 4000 office professionals about their email habits. The results may be surprising, but they shed light on why phishing attacks are increasing, both in the home and in the workplace, and how to protect yourself from this threat. Read on for the scoop on phishing...
Phishing Attacks: Sneaky and Effective
When questioned about their email habits, most people think they're pretty good at sniffing out phishing -- those potentially spammy, scammy, or malicious links. If it came from a Nigerian prince, had lots of typos and bad grammar, or asked for personal information, red flags pop up right away. But phishing attacks are getting increasingly clever, and harder to distinguish from legitimate messages.
In the workplace, it's becoming more common for an employee to receive an urgent message that appears to be from their boss or a customer, demanding some sort of immediate action. And on the homefront, more users are reporting phishing attacks that look like they're from a friend or family member. And these attacks are working.
Even though 9 of 10 professionals in the sample believed they could differentiate between a phish and a legitimate email, about 60% of the survey respondents admitted they have clicked links in emails from unknown senders -- the most commonly used method to steal credentials or infect a computer with malware.
Malicious links are often disguised as legitimate, which is why it's so important to verify the destination before clicking. Simply hovering the mouse pointer over the link without clicking will reveal the actual address. If you're not 100% sure it's okay to click, put down the mouse and back away from the computer. But the Webroot study showed that 57% of office workers did not routinely verify links before clicking, which may account for the frequency of data breaches.
Dr. Cleotilde Gonzalez, a Carnegie Mellon University research professor who consulted on the survey, says the primary factors that make people click are “urgency, familiarity, and context.” Dr Gonzalez explains why people are often tricked into thinking a rogue email is legit: "If you already expect to receive emails from your boss at your office (context and familiarity), and you are accustomed to messages that request quick action (urgency), then you are likely to assume the message is real. It might never occur to you to suspect that it could be phishing."
You'd think that if someone knew for sure they had been compromised as a result of a phishing attack, they would take steps to lock down their accounts. But one third of those who admitted to having information stolen, didn’t change their passwords. That's shocking, but there may be a good explanation. An earlier Webroot survey showed 34% of users reported having more than 15 online accounts, and some with more than 30. With a dozen or more logins to remember, it's difficult to maintain strong, unique, passwords for all of them. That's why many people reuse passwords across multiple online accounts. Password manager software can be a big help here. If you know you only have to change ONE password, the job of cleaning up after a phishing attack is much less daunting.
Another takeaway from the survey was that users don’t realize all the different forms that phishing attacks can take. Less than half of workers identified phone calls, app notifications, or postal mail as possible phishing vectors.
What Really Gets People To Click?
Scammers take advantage of the fact that employees are eager to please their bosses. In the survey, users were asked " Which of the following messages would you be most likely to open first?" Here are their answers:
|An email from my boss||60%|
|A nice message from a family member or friend||55%|
|A request from my bank to confirm a transaction||31%|
|A discount offer from a store||28%|
|A link to a video from a friend or family member||27%|
|A prompt for me to verify/authenticate my account||25%|
|A notification about a fine||19%|
|Instructions to confirm my billing address||18%|
|A subpoena or legal request||16%|
|A link to a funny meme||13%|
|A message claiming to contain adult content||9%|
Tips For Staying Safe From Phishing Attacks
The report concludes with some tips to prevent phishing attacks, and increase the chances of successful recovery if it does happen. Not surprisingly, the advice corresponds with many of the computer security tips I've published here on the AskBobRankin site.
- Maintain strong, unique passwords for all accounts and change them regularly.
See How Hackable is Your Password?
- Use a password manager to simplify this task.
See Is Your Password on the Naughty List?
- Enable two-factor authentication wherever possible.
See [SECURITY] Your Password Is Not Enough
- Keep software and systems up to date.
See Keep Your Software Updated (or else...)
- Back up, back up, back up.
See De-Geekify-ing the Backup
The full report Hook, Line & Sinker: Why Phishing Attacks Work is available if you want to dig deeper. Bottom line, cybercriminals bank on your overconfidence and complacence. Be vigilant and wary of ALL links and attachments in emails messages, to decrease (or completely eliminate) your risk of being phished.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 14 Jan 2020
|For Fun: Buy Bob a Snickers.|
Yes, You Can Still Get Windows 10 For Free
The Top Twenty
Geekly Update - 15 January 2020
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Here's Why Phishing is Getting Worse (Posted: 14 Jan 2020)
Copyright © 2005 - Bob Rankin - All Rights Reserved