This feature was written by Scott Gréaux, Vice President Product Management and Services at PhishMe.
One of the most common ways for cybercriminals to gain access to sensitive data on enterprise networks is through phishing. Phishing is a method where cybercriminals send spoofed emails to try to trick recipients into doing something they shouldn’t. They can also provide hackers with access to corporate networks in order to acquire sensitive information such as usernames, passwords or R&D information.
Every employee is at risk of being targeted by hackers. Due to the large volume of emails that workers interact with each day hackers are able to slip their malicious emails amongst them. So what can email users do to improve their chances of identifying phishing attacks?
It all comes down to making sure your staff have a level of security awareness and training them to know what to look for so they don’t get duped into opening emails that are traps.
Our experience of tracking the responses of more than 3.8 million users shows that around 60 percent of people will fall for a phish if they have never been trained to recognize the signs of a phishing email. However, trained employees will find it much easier to spot a phishing email. They will know to look at the underlying URL, not just the displayed text, to see where it is actually coming from. They will also look at email headers to try to understand if the email address has been spoofed.
We recently commissioned a survey of 1000 office workers to help understand the scale of phishing in the UK. The results revealed that:
- 27 percent of office workers do not know what phishing is
- Nearly 60 percent of office workers receive phishing emails at work every single day, and six percent receive more than 10 phishing emails every day
- More than one in five people admit to having been tricked by a phishing email into clicking a link or opening an attachment
- 78 percent of those surveyed think they have never fallen for a phishing email
- 29 percent do not report suspicious emails to their IT department
- 49 percent are more worried about being phished at home that at work
Not only do these findings reveal that UK office workers are being swamped daily by phishing emails, they also show that technical controls are failing to stop these messages as they pass through security appliances. Emails are ending up in users’ inboxes, and for some companies it may come down to luck if that employee responds.
Spear phishing
One of the most sophisticated types of phishing attacks is called spear phishing. This is when a hacker will target a specific group or organization and will tailor their attacks to make them look relevant to the recipient. Hackers will carry out these types of attacks in order to gain access to sensitive corporate data, and because the emails they send will look genuine they can often be very successful.
However, despite these worrying statistics there are a number of steps which can help to identify potential phishing emails. This is what users should look for:
- Do you know the sender, and is the email address one you would expect them to use? An email purporting to be from your CEO, but sent from a Gmail account, should always ring alarm bells.
- Are you expecting a message from the person? Does the email look suspicious? Does the link look genuine?
- The content of the email can be a giveaway. One of the most basic reasons that phishing attacks work is that they prey on a user’s emotional response – fear, curiosity or reward, and emails that evoke strong emotions such as these should be considered triggers.
- Is the email specific? Does it make sense? Although criminals have a lot of information about individuals they will still keep messages generic to pique your interest, and make you take action.
- And of course, while grammar has improved in recent years, mistakes are often an indicator that all is not as it seems.
Phishing is one of the most common attack methods for cybercriminals, however an effective training program and user awareness will minimize the risk of employees falling victim.
Once employees know what to look for they will be able to quickly identify any potential phishing emails and report them before any damage is done.
One Response
Is Training the Key To Spearphishing
Regrettably, training is not the key to spearphishing. In the realm of APT spearphishing, the attackers are not pretending to be your long lost Uncle Bob in Nigeria who just left you a fortune.
First, training does not make people effective email evaluators. This was proven by the 3 Carronade experiments at West Point and in the research by Vishwananth et al, "Why do people get phished?"
Second, APT attackers know that in order to deceive people, the attack must avoid appearing suspicious. That is why in APT spearphishing, the attacker carefully socially engineers that attack NOT TO BE SUSPICIOUS. APT emails contain attachments that are relevant to the victim’s job. APT spearphishing emails almost always use attachments so that the victim cannot examine links.