Phishing Scams: Why Employees Click
and What to Do About It
IndustryView | 2015
The phishing scam—where criminals impersonate a trustworthy source in order to steal credentials, or place malware on a system—is now a common tactic used by criminal organizations to wreak large-scale havoc.
All companies are at risk from this threat, which exploits employee trust and the ubiquity of email and the Web in today’s connected workplace. For this report, Software Advice surveyed employees to explore their awareness of phishing attacks, and polled experts for advice on how to combat this consistently effective criminal tactic.
“Employees are the weakest link” is a common refrain in cybersecurity circles. Spend a few minutes in any online security forum, and it won’t take long to find exasperated information technology (IT) experts bemoaning the latest deadly encryption malware unleashed on a system by a click-happy employee—who of course doesn’t remember clicking on anything.
But the truth is that, for most people, worrying whether there is a malicious URL in one of the hundreds of emails they receive each day is not a priority. Meanwhile, the hackers who target them are no longer just mischievous teens working from their parents’ basements, but skilled agents of multimillion-dollar criminal enterprises. A well-funded research infrastructure lies behind many of those “phishing” emails purporting to be from a bank or UPS, which are actually fronts designed to steal credentials.
These attacks are so effective and professional that, according to security software firm Trend Micro, 91 percent of all cyberattacks begin with a “spear-phishing” email targeted at a specific individual within an organization. In other words: the bad guys know what they’re doing, and it’s not a fair fight.
So, what are businesses doing to combat this scourge? We surveyed U.S. employees to gauge their awareness of email threats, how they view their own susceptibility to attacks and how much training they receive to deal with such threats. We also talked to industry experts about methods for reducing exposure to phishing attacks through both training and technical controls.
Cyber crooks, like businessmen, are looking to maximize their return on investment (ROI) and minimize their effort. Why waste time on a complex, technically difficult hack when they could get the data needed to access a system from a chatty employee’s Facebook page? When it comes to staging phishing attacks, social media platforms can provide criminals with an invaluable trove of free information about their targets.
The childhood lesson “don’t talk to strangers” still applies in the virtual world. But do employees follow it? We asked how often they connect with strangers on social media.
Only 2 percent of respondents admit to ultra-friendliness (or a complete lack of discernment), accepting every invitation that lands in their inbox. However, almost 50 percent admit to ignoring concerns about “stranger danger” most (17 percent) or some (27 percent) of the time.
By contrast, 29 percent “rarely” accept such invites, while 24 percent “never” do. Thus, less than one-quarter of respondents consistently deny unknown parties access to their social media profiles. “Rarely” is of course much better than “sometimes” or “always,” but still exposes the user to risk—all it takes is one accepted invite from a fraudster to unleash havoc.
The increasing all-pervasiveness of sites like Facebook and LinkedIn has led many people to lead increasingly transparent online lives. But while it might be difficult for employees to imagine that giving strangers access to something as banal as their profile could be dangerous, the threat is very real.
Kevin Epstein, vice president of information security and governance at security firm Proofpoint, says criminals take advantage of hundreds of years of social conditioning that leads people to trust that others are who they say they are.
However, this trust evolved in a context where most encounters occurred face-to-face, and may be misplaced in the world of the Internet, where our interlocutors are often unseen. Once connected to us, criminals can see all kinds of details and connections that provide them with valuable inside knowledge about our lives and work—which is ideal for crafting phishing emails.
Criminals can also exploit social media in other ways, such as sending out fake email templates inviting people to connect online, which send them to a URL designed to steal credentials or place malware on their computers.
Interestingly—and most dangerously, from a business perspective—Epstein says LinkedIn is the easiest social media site for criminals to exploit. Indeed, according to a study by Proofpoint, fake LinkedIn email templates get twice as many clicks as other fake social media invites.
“It’s common practice in physical business situations to meet strangers,” Epstein explains of people’s innate instinct to accept LinkedIn invitations. “They hand you a business card that says ‘vice president of whatever,’ and we think, ‘that’s someone I would like to know from a business perspective.’ We’re conditioned, in the business world, to want to make more contacts—not to refuse contacts.”
The solution here is to never accept any LinkedIn invites sent via email, but to instead log on to LinkedIn directly and check for invitations there.
Of course, criminals seek to manipulate people’s trust in other ways, and target their victims through emails containing infected URLs, dangerous attachments or seemingly benign requests for credentials. By masquerading as a bank, superior or business contact, they lure their victims into danger. Employees must therefore be as cautious with email as they are with social media—but are they?
At first glance, it seems employees are more careful with their email than they are with social media invites from strangers. A virtuous 56 percent say that they have never opened an email that they thought, either before or after opening the email, was fraudulent—e.g., that was a scam, contained malware or otherwise seemed to be from an illegitimate sender intent on committing crime.
Thirty-nine percent do admit to having done so, however, with a further 5 percent “not sure” whether or not they have. Indeed, “not sure” should perhaps have a much larger response, as the most effective phishing emails are not at all obvious to their victims.
This is a point underscored by Epstein, who says that most employees cannot remember clicking on bad links even when an infection has definitely occurred.
“Human memory and habits are funny things: We get into habits where we don’t even remember consciously clicking,” Epstein says. He notes that hackers are well aware of when people are most susceptible to attack, and target emails at specific times of the day.
“If you look at the attacker send patterns, most emails are sent between four and six in the morning, and then there’s another burst late in the afternoons, especially on Fridays. That’s when you’re trying to get through your stuff and get out,” Epstein explains. “Instead of just saying, ‘don’t click,’ tell people, ‘don’t check email until you arrive at the office, and don’t check email after 8 p.m.’ Attackers are very aware that pre-coffee in the morning, you’re susceptible.”
Randy Abrams, research director at security advisory firm NSS Labs, also has some pragmatic advice, recommending businesses ensure their employees understand one thing:
There are only two types of people who will ask you for your password: thieves and idiots. You do not want to give your password to a thief, and if you give it to an idiot, they may give it to a thief. If you get an email asking you for your password, or linking to a page that asks you for a password, assume it is a scam.Randy Abrams, NSS Labs
Sometimes, however, merely opening the fraudulent email can be enough to launch an attack.
The solution, says security expert Jim Noble, is to “constantly teach and advise employees that merely viewing an HTML email can infect your system (as HTML has the ability to run scripts), and therefore, you should have your email turned to the ‘lowest’-fidelity view, which is plain text.”
IT security professionals may be alarmed by the susceptibility of employees to phishing attacks, but how do those employees assess their own chances of resisting a phishing hack?
To gauge this, we asked two questions: how employees rate their own ability to recognize a scam and avoid being tricked, and how they rate their colleagues’ ability to do so.
There is a wide disparity between the two sets of responses. As the first chart below reveals, most employees are fairly upbeat about their ability to identify and avoid an phishing attack.
Over one-third (36 percent) believe they are much too shrewd to be caught out, while a more modest 56 percent say they are “moderately confident” they could not be fooled. Only 6 percent admit to being “minimally confident”—and this in spite of a year of huge breaches that humiliated large companies, demonstrating that even the best-defended businesses can fall victim to a clever lure.
Dan Kaminsky, co-founder and chief scientist of WhiteOps, ascribes this confidence to inexperience rather than arrogance.
“Most people think they're safe, unless they’ve personally been victimized, and most people have not been personally victimized,” he says. “The problem is, it doesn't take many individual hits to put a company at risk.”
The reality of the situation, Kaminski continues, is that “every large company—and [nearly every] not-so-large one, as well—is in a constant fight against some corner of its network being compromised, and phishing is a major way attackers get in.”
However, if many employees are likely overestimating their own anti-phishing abilities, they have a very different attitude towards the savviness of their co-workers.
Comparing the results, we see that, while 36 percent of employees believe in their own invincibility, a mere 4 percent feel the same about that of their colleagues.
What’s more, while only 6 percent are “minimally confident” in their own abilities to avoid an phishing attack, a full 37 percent do not trust their co-workers.
But perhaps the most striking difference is in the number who have no confidence at all in their colleagues: 16 percent of employees do not believe their co-workers could resist an phishing attack. In the self-assessment question, only one person chose this option, giving us a percentage so small (0.01 percent) that we could not display it on the chart.
Even if the truth lies somewhere in the middle, it is clear that many employees overestimate their own security skills—which, of course, makes them more vulnerable. It is no surprise, then, that security experts say technical solutions must be a part of a business’s defense against phishing attacks.
For instance, Noble recommends that companies make sure they have “a good spam-blocking or spam-filtering solution, [which] can also reduce the amount of phishing emails, and can also look to see what content and attachments exist in incoming and outgoing email.”
Kaminski suggests a simple switch that can reduce risk: “In terms of technical measures, configuring browsers to make workflows safer is always good. So, for example, Chrome’s PDF reader is a lot simpler than Adobe Acrobat, and a lot more secure. When it’s feasible for workflows, use that.”
Meanwhile, Proofpoint’s Epstein cautions against purchasing products that advertise themselves as “anti-phishing,” but that are merely identifying threats on the basis of signature-based anti-virus technology. The problem, he explains, is that these only prevent known threats, and are of no use against new strains.
To mitigate this, Epstein recommends that businesses with larger budgets investigate more advanced, cloud-based “security as a service” options. These solutions can provide technologically sophisticated layers of defense without requiring the business owner to have a high degree of technical expertise.
Finally, we wanted to see if employees are receiving security training and advice to help protect themselves against phishing attacks. Technical controls are good to have, and knowing basic best practices can also help—but without ongoing training and informational updates, security will never be top of mind for most employees.
Despite this, security training remains a low priority at many firms: 21 percent of respondents say they have “never” received any form of training or advice from their company about Internet and email security, while a further 21 percent report receiving it only when they were first hired.
When factoring in the 19 percent who only receive training “annually,” a total of 61 percent receive either no training, or training that is likely delivered too rarely to be effective—and which cannot, by definition, be up to date.
On the other hand, 25 percent receive training or advice “quarterly,” 9 percent “monthly” and 5 percent “weekly.” With these frequencies, employees are most likely receiving email alerts and updates about security news and best practices.
Of course, the effectiveness of training is a subject of much debate in cybersecurity circles. Abrams of NSS Labs says that proper education will make the training relevant to the user.
“[Students] need to know why they are learning,” he says, adding that the training should be interactive and focused on problem-solving, with plenty of practical examples. Teachers also need training themselves, Abrams adds, noting that “the use of third-party professional trainers is likely to provide a significantly higher ROI than using untrained, in-house resources.”
Joe Ferrara, president and CEO of training firm Wombat Security Technologies, says that providing security training modules in game-based formats provides “strong employee engagement that translates into increased knowledge and long-term behavior change.”
By incorporating gamification elements, such as scores, lives and a timer into the education process, he adds, businesses not only improve participation, but “also significantly increase knowledge and retention.”
Ferrara also says it can be effective to stage “mock attacks,” but recommends a “soft approach” so that employees do not feel they are being picked on.
“We take advantage of the ‘teachable moment’ and present them with a brief educational message that they see immediately after they click on a link,” he explains. “These messages open the learner’s eyes to the fact that they are vulnerable, but also motivate them to take additional training. The training modules deliver in-depth education.”
Inevitably, some employees are going to open dubious emails, click on bad links and download infected attachments. However, this does not justify an attitude of defeatism, as businesses have to operate in the real world. There is a growing body of research about the tactics of cybercriminals, and sharing this information with employees—combined with pragmatic advice—will help them stay alert to the risks they face each day.
However, there are a few simple steps businesses can take that can go a long way towards reducing risk, such as:
Following these steps can make life much more difficult for hackers—which is, in itself, a line of defense. After all, criminals are businessmen too, and are interested in the maximum return on their time and investment. The more difficult it is to penetrate a particular target, the more likely they are to focus their energies elsewhere.
To collect the data in this report, we conducted an online survey of employees at U.S. businesses. We asked 11 questions, and collected 170 responses per question. All survey questionnaires undergo an internal peer review process to ensure clarity in wording.
Sources attributed and products referenced in this article may or may not represent partner vendors of Software Advice, but vendor status is never used as a basis for selection.
Interview sources are chosen for their expertise on the subject matter, and software choices are selected based on popularity and relevance.
Expert commentary solely represents the views of the individual. Chart values are rounded to the nearest whole number.
If you’d like to further discuss this report or obtain access to any of the charts above, please contact firstname.lastname@example.org.