A fifth of all employees will fall for a phishing message, study finds

A fifth of all employees will fall for a phishing message, study finds

Image:
A fifth of all employees will fall for a phishing message, study finds

And of those redirected to a spoofed web site, almost a quarter will enter their details into a form

More than a fifth of employees will fall for a phishing message, taking further action such as clicking on a link, according to a study by Phished.io, a provider of cybersecurity training software.

Ninety per cent of all breaches start with human error, and phishing is still the number one way that cybercriminals break through an organisation's protective barriers.

Despite most people now being aware of the practice, we are all still vulnerable, particularly at times of crisis such as the pandemic. That's because criminals are adept at adapting their approach to fit current circumstances.

In its report, Phished.io notes that incidents SMS phishing (smishing) and voice phishing (vishing) have both risen during the pandemic. In the case of smishing this is because, in part, many government communications are sent to mobile devices via SMS. Meanwhile, the use of phonecalls by criminals has evolved beyond the familiar fake Microsoft support calls, with a focus on regional issues and employing people with local accents in order to be more convincing.

Like last year, Covid-related topics including working from home and testing were the most prevalent globally in 2021, followed by 'work' emails concerning Microsoft Office, Sharepoint or Gmail, and then fake IT support messages to do with passwords, VPNs and the like.

In the UK, the order was a little different from the global pattern, with fake Amazon delivery notices and spoofed HR messages coming second and third, respectively.

The Phishing.io study, the result of sending 100 million simulated phishing attempts to people worldwide, found that people are still disturbingly likely to fall for phishing messages, particularly if those messages are short, if they contain a request for help and if the sender appears to be someone known to the recipient.

Globally, 53 per cent of the simulated phishing messages were opened, with more than a fifth (22 per cent) being successful in that the recipients took further action such as clicking on a link. Among those people who did take further action, 23 per cent went on to enter their details into a form on a spoof web page, and 7 per cent downloaded and opened an attachment. Meanwhile, 7 per cent reported the phishing attempt to their appropriate authorities. The pattern in the UK was similar to the global picture.

Among those with no cyber security training, half of the phishing simulations were successful.

Phishing is evolving all the time. Recently, Microsoft warned of the rise of a large scale phishing-as-a-service operation that not only sells phishing kits and email templates, but also provides criminals with hosting and other automated services.

Criminals are also able to obtain huge datasets of individuals for use in such attacks through scraping social media sites such as LinkedIn, and 'off the shelf' kits becoming cheaper and easier to use, the report notes.

New techniques are also being deployed to catch people off guard. These include: the use of convincing deepfakes; QR fraud, in which fake QR codes are used to facilitate online transactions, misdirecting the user or stealing information; and calendar invitation fraud, where a hacked trusted source sends a calendar invitation which bypasses spam filters and requires a password to open, which is then sent to the attacker.