Two new studies make this point, and show the devastating consequences of being wrong.
Security firm McAfee has created a tool that lets consumers test their ability to distinguish between real emails and fake “phishing” emails designed to steal their personal information. So far, consumers have failed the test — miserably.
In a report released earlier this month, McAfee said that of the 19,000 plus visitors from more than 140 countries, only 3% of test-takers identified every email correctly.
Even worse, four out of five thought at least one phishing email was real.
“The worldwide average score was 65.4%, which means test takers missed one in four phishing emails on average,” McAfee said.
Those results are dismal. It costs criminals almost nothing to send phishing emails, and this study suggests that they only need to get four of them into a potential victim’s inbox in order to pull off a caper.
That’s bad enough, but traditional phishing attacks are little more than vaguely targeted spam — a fake Bank of America email sent to a million people in the hope than 25,000 are actually Bank of America customers. The really insidious, and increasingly successful, crime is known as “spear phishing.” Rather than send out a million fake messages, spear phishers send out only a handful — or even only one — at a time. These emails are meticulously designed to trick the recipient. A common tactic: A booby-trapped email sent to an important person’s administrative assistant with a realistic-sounding urgent message, such as “Traveling: Please review this document immediately.”
Spear phishing is blamed for some of the most high-profile hack attacks ever. A report released earlier this month by the InfoSec Institute blamed spear phishing for the Target and Sony attacks, and cyberattacks operated by the Syrian Electronic Army and others. The group Citizen Lab provided evidence last year that the Islamic State in Iraq and Syria (ISIS) had used spear phishing attacks against a group attempting to document human rights abuses in an effort to unmask its members’ location.
It should be no surprise that phishing emails have also been used to attack workers at America’s critical infrastructure plants and other crucial systems.
“Spear phishing represents a serious threat for every industry, and the possibility that a group of terrorists will use this technique is concrete,’ the InfoSec report concludes.
The best defense against phishing and spear phishing is humility. Yes, you can fall for a well-crafted trick email. It only takes one moment of weakness, one click when you are distracted by something seemingly more important, to make a critical lapse in judgment that can ruin your whole day, or much worse. Your best defense: Be skeptical of every email, even those that appear to be sent by friends or co-workers. If you have any feelings of doubt, don’t click — call.
McAfee offers these additional tips:
- Keep an eye out for telltale signs. Bad grammar, bad syntax, suspicious senders and links to misspelled URL addresses are all telltale signs of phishing.
- Also watch for emails from unknown senders or ones asking you for personal information, especially if it’s in a threatening manner.
You may not always know that your information has been compromised until the damage has already been done. However, regularly checking your account statements, credit reports and credit scores for signs of fraudulent transactions and new accounts can help you spot many problems before they become even bigger.