No matter who you are, or how you get your email, you’re bound to be a target. That’s the inconvenient truth about phishing. The sheer volume is astonishing -- McAfee Labs found over 150,000 new phishing URLs in the fourth quarter of 2014 alone. Couple that with Verizon’s finding nearly one infive users will click on a link within a phishing email, and the reality sets in. This is an uphill battle, and end users are on the front lines.
But it’s not just volume that results in compromise. More often than not, the phishing emails that result in a successful breach utilize highly sophisticated malware, social engineering, and are targeted at the most vulnerable amongst us.
At Intel Security, we have our sights honed in on this problem. To help companies’ efforts to reduce their risk and susceptibility to phishing, we teamed up with CBSNews.com to bring the issue to light on a global scale, raise awareness, and further educate the public.
Back in December, we released the first stage of our educational program -- an online quiz that asks people to identify whether a set of 10 emails are legitimate or phishing. Quiz takers can then review what they got wrong, and what they should have looked out for. It’s a simple concept, but a powerful one. Looking at our inboxes every day, not all of us think “Is this a real email?” But we should! Vigilance against social engineering is every individual’s responsibility. We recently published a report on this titled “Hacking the Human Operating System,” which I recommend reading if you want to dig further into the psychological forces at play in these attacks.
Bottom line: If more of us were able to spot fraud, then no matter whose information it is -- whether personal or corporate -- there would be less of a chance for a criminal to commit theft.
You’re probably wondering how people performed on this quiz. Check out a followup article on CBSNews.com here and a few highlights below:
- Only 3% of all respondents were able to identify every example correctly
- 80% of all respondents misidentified at least one of the phishing emails
- The 35 to 44 year old age group performed best, answering an average of 68% questions accurately
- Of the 144 countries represented in the survey, the U.S. ranked 27th overall in its ability to detect phishing, with 68% accuracy
One of the key takeaways in the aforementioned report is that “during a social engineering attack, the victim is not consciously aware that his or her actions are harmful.” Of course, in most cases, users are not intentionally infecting themselves with malware or divulging sensitive information. Preventing the impact of phishing requires a two-pronged approach: Companies need to educate their employees, and they need to employ prevention technology. By scanning every email for known bad senders, malicious files, and malicious URLs, organizations can reduce the attack surface immediately. Innovative approaches to threat detection like click-time malware scanning for URLs in email and attachment file sandboxing are new and effective ways to stop attacks.
Take a look at your email environment. If you’re running traditional Exchange on-premises, or managed by a partner, make sure you have email protection scanning the inbound and outbound flow of mail. If you are like many others in IT right now, you’re probably evaluating or already moving to a hosted Exchange environment such as Microsoft Office 365. The same concept applies. You need strong threat detection for your email, including defenses like click-time malware scanning to keep up with the dynamic nature of malware infection used in sophisticated phishing attacks.
I’m sure this isn’t the first time you’ve heard about phishing, and it won’t be the last. Take the right steps now to protect your organization.