Only 1 in 5 professionals can spot phishing scams

News by Steve Gold

Not always easy to spot a phish says McAfee

Research from McAfee Labs claims to show that 80 percent of business users are unable to detect at least one in seven phishing scams. The problem appears to stem from the fact that the finance and HR departments of companies - who hold the most sensitive data - perform the worst when it comes to spotting phishing attacks.

The analysis - McAfee Labs Threats Report: August 2014 - suggests that the fact that the phishers are using five main lures, PayPal, Amazon, eBay, Bank of America and HSBC, is one of the driving reasons for the success of modern phishing attacks.

As part of its research, McAfee says it has been testing the ability of business users to detect phishing though its phishing quiz, which consists of 10 email messages presented in emulated email clients.

According to the security vendor, the test asks respondents - as if they were looking at their own email inboxes - to identify each sample as a real message or a phishing attempt.

The report says that mass campaign phishing and spear phishing are still rampant in the attack strategies used by cybercriminals around the world.

Mark Sparshott, EMEA director with Proofpoint, said that the McAfee report confirms his company's own research - carried out at the start of the year - which also noted that subject lures such as Google and PayPal as subjects were being found.

"We also found that the phishers were using social media as a launch pad for the attacks," he said, adding that, thanks to the usage of content management and delivery technologies, the attackers could `see' what device the user was coming in on, as well as their IP address.

By adapting the response content and Web page the user is delivered to based on this information, Sparshott says that a large company could be targeted with, say, 1,000 phishing emails, all of which would generate different results for the people concerned.

Over at Leeds-based Randomstorm, a security systems integrator, meanwhile, Gavin Watson - a senior security engineer - agreed that the 80 percent failure rate at spotting phishing attacks was in line with his own observations.

Naming and shaming

"One of the most common topics that we discuss with clients is the policy of not naming and shaming individual employees following a social engineering/phishing vulnerability evaluation. Even though clients often request this information, when we explain to them the circumstances of employees clicking links, revealing information, or providing unauthorised access to the organisation, they often realise that they would have fallen foul of the same tricks and that it is the procedures that are at fault, rather than individuals," he said.

"We always steer the debrief conversation in the direction of remediation and education. The pen tester's advice should ideally find its way into the next round of staff awareness training to enable the client organisation to make significant improvements in its security posture," he added.

James Moore, a senior consultant with MWR InfoSecurity, said that, when his firm runs a phishing assessment against 1,000 employees in an organisation it is not unusual to get 750+ users clicking on the link and disclosing their authentication credentials.

"Perhaps more worryingly still, almost 80 per cent of users that click on a phishing email will then click to download a malicious executable if prompted - giving an attacker complete access to an employees workstation without the need for less-reliable client-side exploitation," he said.

"It's no surprise the volume of phishing attacks is going up; a low barrier to entry combined with phishing attacks being highly effective makes them extremely lucrative to attackers looking to gain access to an organisation's data and networks. The vast majority of organisations out there do not perform practice phishing assessments internally, often relying only on traditional employee security awareness training, which time and time again proves to be ineffective at helping employees identify phishing attacks," he added.

Mark James, a security specialist with ESET, said the problem with phishing emails is that it's their job to trick you into thinking they are legit, often using the same graphics or templates from legitimate emails from real companies.

James went on to say that educating the users at a basic level will help, as will understanding why these type of emails are sent and a clear set of procedures along with contacts when things seem out of place, will go a long way in combating this type of fraud.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews