The safest way to ensure people don’t fall for phishing scams is to block those emails before they arrive. We’re reminded of this via a study by McAfee, which found that 80 per cent of office workers were sucked in by phishing mail.
As part of its monthly threat report, McAfee tested whether or not individuals could identify phishing mails. Presented with a set of ten mails, seven of which included phishing links, 80 per cent of users (in a group of 16,000) fell for at least one of them.
Reminding people not to click on suspicious links should be part of your business security strategy. However, given those tendencies, you also need to ensure that you block as many suspect messages as possible. It’s hard to click on a link you never see.
Comments
9 responses to “Yes, Your Users Are Dumb Enough To Fall For Phishing Scams”
One reason people might fall for phishing scams at work is that they might think (however unreasonably) that they have something to do what a deal that their employer might have cooked up.
Much better that they be trapped at the server, or people warned every so often what these scams are, what they look like, and a company wide policy for dealing with them
With these statistics showing numbers as high as 80 percent, suggesting that Phishing emails should simply be blocked (which continues to be extremely technically challenging) is falling well short of the mark.
Awareness of Phishing tactics needs to be a constant part of end-user education in all settings, BUT ALSO there needs to be emphasis on REPORTING of Phishing email to security vendors and those companies who are implicated so that Phishing sites (which are often hosted on compromised web servers) can be taken down swiftly.
If we all work together at pushing back against the common Phishing criminals, we do have a chance to reduce what is as a very serious and prevalent threat.
Can confirm: 3 man office, boss still falls for phishing emails.
“No boss, that isn’t an Australian phone number.”
“No, they were linked from Indian google.”
I successfully phished the details out of a woman who hit my wifes car and wasn’t giving us the required details for us to make a non-fault claim. People will reply with the requested information very easily when you sound polite, format the email well, and it sounds reasonable.
All we had was her name, and the suburb she worked in the public service. Emailed to [email protected] to every department in that area until I didn’t get a bounce, and she replied with her home phone number and address.
Insurance wouldn’t let us submit a no fault with just her name, rego and mobile number.
Presumably she wasn’t very compliant with giving you the extra details without the phishing then?
Nope, husband got in her ear and convinced her we were ripping her off, because our car was old and worthless. Was about 2.5k worth of damage to a $1500 car. Repair was worth more than the car was worth, and that’s when they stopped being co-operative. They even got us to go to their mate for a quote, who said they were idiots as there was no way he could repair it for less than the value of the vehicle.
I’m forever trying to remind my users not to click links in emails.
But it doesn’t help when head office send out emails saying something like “Your security questions are out of date. Click this link and update them.”
From my (limited) experience, it seems to be the older generations that have the biggest issue with phising scams. The amount of times I’ve seen them reading emails and then asking why someone they’ve only emailed once is telling them to look at X link is incredible.
“Do not click that link.”
‘Why not? I’ve spoken to her before. That’s her email address.’
“Once? And she’s sending you vague links to ‘pictures’ of her holiday?”
Education is the best thing, as it’s not too hard to smell a scam, but people just need to be thoroughly taught.
My old neighbour had a very close friend who almost fell for a 419 scam. My neighbour told the friend it was a scam, and the friend wouldn’t believe my neighbour. A phone call to us (myself as an IT worker and my brother, no longer in the IT sector but still very knowledgeable) straightened that out, until 2 weeks later when she almost fell for a slightly different scam, because they had a larger amount of money on offer, and “Why would they offer that amount of money if they weren’t serious about it?”
Sometimes, it takes an actual loss of money for people to learn, as all the frank talks and education in the world can’t save ’em.