The Phish Are Still Biting

Category: Security

Despite a decade of terrifying headlines, education programs, employment and school policies, and other efforts to enlighten the masses, the odds are one in four that a phish will get a bite, according a recent report. Why is phishing still such a big problem? Read on...

Phishing is Still Big Business

It’s enough to make a security evangelist cry; I know I cringed when I learned how many people still fall for phishing campaigns. Now in its eighth year, Verizon's Data Breach Investigations Report (DBIR) has analyzed nearly 8,000 “data breaches” in which data was stolen or destroyed and nearly 195,000 “security incidents” in which hackers attacked systems but either failed to gain access or entered and didn’t steal or damage any data.

Denial-of-service attacks would be an example of a security incident. The 2015 DBIR alone covers 2,100 data breaches 80,000 reported security incidents in 61 countries during 2014. The DBIR team consists of dozens of tech companies led by Verizon. In 2011, only two percent of data breaches were traced back to phishing emails; by 2014, that figure had mushroomed to 23 percent. Phishing’s gain has come at the expense of spyware and keyloggers, which dwindled to five percent of data breach sources.

Phishing is Big Business

The objectives of phishing campaigns have changed in the past five years. Early phish typically focused on duping victims into providing their login credentials, credit card numbers, bank accounts, and similar information to the bad guys. I'm sure you've seen those emails purporting to be from your bank, Paypal or eBay. "There's a problem… click here to login and verify your account details." Doing so lands the victim on a rogue look-a-like website, which happily accepts their username, password, account number, etc.

The criminals would then use that information to commit fraud and ID theft or sell large batches of personal credentials. Now the goal of a phish is more often to install malware on a victim’s system. Malware can further the infiltration of a business network; enslave its host in a botnet used for spamming or denial-of-service attacks; or hold a computer hostage for ransom by encrypting its stored data.

Malware typically gets installed when a victim opens a file attached to a phishing email or clicks on a link embedded in it. The 2015 DBIR finds that 11 percent of people who receive phishing emails open the attachments.

Ups and Downs

On the brighter (or “less dismal”) side, there has been “slight decline” in users actually going to phishing sites and giving up their passwords to bank accounts and such. At least that part of the oft-repeated message has gotten through to a few people.

Just as an angler seldom casts his lure only once before moving on to a new spot, phishers generally send more than one phishing email to a given target address. The DBIR found that a phish campaign of ten emails has a 90 percent chance of getting at least one bite.

The bites come quickly, too. Two of the security firms that contribute to the DBIR sent out 150,000 simulated phish emails in a test sanctioned by their corporate clients, then measured the campaign’s effectiveness. Nearly 50 percent of users opened the phish email and clicked on its poisoned link within an hour of receiving it. That's stunning! (We should be happy these guys wear white hats.) The DBIR also reports that the median time-to-first-click in the real phishing campaigns it analyzed was only 1 minute, 22 seconds.

Phishers process their prey quickly, too. As I wrote in Surprising Stats On Phishing, “About 20% of victims had their accounts raided within 30 minutes of giving a rogue site the keys. Once hackers get into an account they spend about 20 minutes, on average, rooting around for more sensitive info and blasting out more phishing messages to a victim’s contacts, if they’re available.”

The rapidity of the phishing cycle gives corporate security administrators too little time to detect and counter phishing campaigns, according to the DBIR. The same is doubly true for home users, who aren’t paid to be constantly vigilant.

Workers in Communications, Legal, and Customer Service departments are the most likely to open phishing emails, the DBIR reports. Email volume is generally high in these departments, leading me to surmise that users don’t have much time to think before taking action on a given email. That’s just what a phisher needs.

Eternal Vigilance...

It’s getting harder to detect phishing emails. Their designers have learned to mimic the emails of legitimate large companies pretty closely, and a phish email may well come from the compromised email account of a trusted contact. But at work or at home, it’s vital to think before you click, and err on the side of caution if you get the slightest whiff of anything “phishy” about an email.

Web browsers and anti-malware suites offer some protection from phishing emails and rogue websites, but you can't rely on them alone. I recommend that you use a bookmark when visiting sites that require a login. And it's always a good idea to call the sender when in doubt.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 24 Apr 2015

For Fun: Buy Bob a Snickers.

Prev Article:
7 Reasons to Use Google Calendar

The Top Twenty
Next Article:
Project Fi - This is BIG!

Most recent comments on "The Phish Are Still Biting"

(See all 24 comments for this article.)

Posted by:

Don Gilcrease
24 Apr 2015

The general public will always find ways to thwart the most well thought out and diligent attempts by software design and security professionals to protect them.

Posted by:

24 Apr 2015

Why do these people never get caught and charged.If I were to set up a site doing things that was illegal, I would be traced and charged and my site shut down. Seems no one cares about these frauds.It is all up to the computer owner.

Posted by:

David Guillaume
24 Apr 2015

Only yesterday did I also receive an email claiming to be from Paypal telling me that there was a problem with my account and to log on to the web site contained in the body of the email to rectify matters.

I deleted it and then ran both of my malware programs to ensure that nothing nasty had been left behind. My computer was clean and had not been infected. David Guillaume

Posted by:

Tom English
24 Apr 2015

Why are Financial Institutions held accountable for PROMOTING phishing attacks?
Fidelity Investments emails account holders with numerous invitations to webinars, etc, that can ONLY be accessed by clicking a link in the email and logging in. The same offering is NOT available if the account holder uses his stored link to sign in.
At least two regional banks with whom I have accounts do the same thing. They are training their customers to become victims.

Posted by:

Evelyn Carsey and rest of Carsey Family
24 Apr 2015

Hello Bob ,What do you think about pinger free text? and how
does it work.thank you Evelyn


Posted by:

Philip Dischert
24 Apr 2015

Bob, thanks for a timely article. Just last week my wife received an phish email claiming to be a bank that she has an account with. It claimed that her account was locked and offered her a link to enter her account information "for verification". I'm so glad she called me into the offie to see this. This was the most authentic looking phish email that I've ever seen and I've been around for quite a while. Even the links had the banks name included which added reality to the scam.

Remember: NO financial institution will EVER ask for your account information on-line.

When in doubt always open a browser window and go directly to the institutions web site to verify the status of your account and check for messages.

As a side note: I have to agree with Wilson who wrote, "why do these people never get caught and charged. WHY!!!

BTW: I offered to send the email to the banks security department but they weren't interested.

Posted by:

24 Apr 2015

In my address book, I have a "group" list of email abuse reporting addresses.
I forward such emails to all of them, hoping someone will nail the perpetrators.

Posted by:

Lloyd Collins
24 Apr 2015

I got the clear message about Phishing and never have fallen prey. If I can, I report the emails to the Company being exploited. Lately it has been mostly Paypal related, and I have been forwarding them to Paypal.

I am not surprised that they find victims, just not me.

Posted by:

25 Apr 2015

To anybody who gets a phishing email purporting to be from PayPal: PayPal wants you to forward the email with full headers to so that they can investigate it.

Posted by:

Roy Bennett
25 Apr 2015

Great advice Bob. Its always the same email address of friends who send me those blank messages with just a hyperlink to click on. Initially I used to tell them but I am afraid I've given up now.

The other thing that bugs me are some of the software download sites that I used to trust who hide crapware away and its not always easy to spot it. I try always to go to trusted sites but I find I have to read very carefully what it is I am downloading.

Posted by:

25 Apr 2015

I have never had any website that requires a username and password ever officially ask to have them verified. If you put your cursor on the link, somewhere on the screen the website where you will be going will flash up and it is always something different or something more than the site that it is purporting it will be.

Posted by:

Martin Gouldthorpe
25 Apr 2015

Thank you Bob for another helpful article with intelligent and sensible information and warnings. My wife and I seek to be very careful and never open anything that either looks suspicious or appears to be coming from a sender that we do not know or have never heard of.

A few days ago my wife opened her email programme (Windows Live Mail)and immediately asked me to look at it as her inbox was downloading dozens of emails reporting failure to deliver emails, allegedly sent by her. The addressees were unknown to us and certainly nothing had been sent to any of them from my wife's computer by her or me.

It looked as though someone had used her email address illegally. We deleted all the suspect emails reporting a failure to deliver and I then ran three scans on her computer - Advanced System Care, Malware Bytes and Super Anti Spyware. Between them they identified 75 "Junk File" problems, all of which were removed.

We have received no emails from friends saying that "your address book has been hijacked" or words to that effect and there has been no repeat.

My questions are, was her computer hacked or was it an indication of phishing success. Do we need to change her email address or do anything more than what I have already done? Any thoughts from you or the knowledgeable folks who post on your comments page would be welcomed and appreciated.

Posted by:

25 Apr 2015

To Martin Gouldthorpe

Strongly suggest changing the password on your wife's email account and making sure it is a strong password, i.e., does not contain known dictionary words, does contain alpha upper and lower case, and numeric, and is at least 10 characters in length with no repeating characters.

Posted by:

26 Apr 2015

Because of all the bad email links, I am really paranoid about clicking on any. And that includes YOUR emails. They always say, "click here to read more". I trust that you, Bob, are being vigilant and click the link. But there's no guarantee that your emails and website are invulnerable (from what I hear, NOBODY is). So I may soon stop clicking your links.

I wish retailers that want to send me coupons or better display their wares would include a full link to their site, so that I can eyeball it for legitimacy and copy&paste and open in another tab. Instead, their emails just dsiplay hypertext links and "click heres" -- often their own retailing website isn't even printed in their email!

I don't fill out surveys if I have to click a link to take them, even though I may indeed have useful comments for the sender.

A previous poster was spot-on in saying banks are guilty themselves of fostering dangerous "click on this link" behavior (usually for more information on something, but it's still a link that may have malware). A few months ago, my bank both emailed and texted me Fraud Alerts to review (with links for "yes it was me" and "no this was not me"), and various people I contacted at that bank said either that A) the Alerts were legit or B) the Alerts were bogus.

So, please Bob, start by making your OWN valuable AskBob emails the model of how to communicate links without training readers to always trustingly click on links in emails.

EDITOR'S NOTE: There's a big difference between a link that goes to (for example) your bank which requires a login/password, and a newsletter link that goes to an article page. Email newsletters like this one do not require you to login in order to read the linked content. Apples and Oranges...

Posted by:

Philip Dischert
26 Apr 2015

To Martin Gouldthorpe: I experienced the same thing with Comcast once. Even though they denied a problem I was able to trace it to them. I checked the headers to all of the messages that I received as you have described and saw that they were all legitimate venders and friends.

My account was not hacked nor was it the result of a phishing expedition. It was a technical problem at my ISP. I no longer use them for my email.

Posted by:

27 Apr 2015

Bob, you recommend to use bookmarks, to be sure.
Please be aware that those bookmarks are not save, they can be changed without being noticed by you.
If you receive a suspicious mail, enter the known address manualy in the address field of your browser, otherwise you may get directly to the phishing address.


Regards from Germany

Posted by:

27 Apr 2015

One of my jobs entails reviewing the spam folder in the company email account we use. It's amazing how many IDENTICAL emails we get in a row from supposedly different senders... And the ones we get in Chinese makes me wonder what the phisher was thinking...

The words of P.T. Barnum keep coming to mind about "one being born every minute." It's depressing to me to realize just how unaware if not just plain dumb so many people are.

Posted by:

Old Man
28 Apr 2015

There's an old saying about the more we do to make things idiot proof, someone comes up with better idiots.

Posted by:

28 Apr 2015

Bob, your article says "Malware typically gets installed when a victim opens a file attached to a phishing email or clicks on a link embedded in it. "

Reading YOUR articles involve clicking on a link in your emails. Although YOUR links just go to your website, don't involve logins/passwords, AND you have high security vigilance, you're still encouraging behavior that's becoming risky.

What if someone spoofs your email address and sends out carbon-copy newsletters with malware embedded in the links? [Apples and oranges have many differences, but both can go bad.]

Posted by:

Eldred Coot
02 May 2015

We need an amendment to the Constitution that those who engage in internet thief give up all their rights and are immediately shot.
Classify them as terrorist.

There's more reader feedback... See all 24 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- The Phish Are Still Biting (Posted: 24 Apr 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved