If you’re the kind of person who replies to emails as quickly as possible, you’re at the greatest risk of falling for a phishing scam, according to a new report.
Proofpoint’s The Human Factor 2018 Report has found that 52% of all successful phishing emails are clicked on within one hour of being sent. Almost a quarter of clicks occur within five minutes, and 11% within one minute.
This suggests that, as experts have routinely claimed, one of the biggest motives for clicking on phishing emails is a manufactured sense of urgency. People are much more likely to open an email immediately if the subject matter suggests that it’s time-sensitive.
Another commonly cited driver for successful phishing attacks is a victim’s sense of curiosity. If someone has no pressing tasks at hand and has the time to open an email as soon as they receive it, they also have the time to look at whatever link or download the email encourages them to click on.
The report contains several other notable findings. For instance, it states that, for every legitimate website, there are 20 malicious websites mimicking its domain. This practice is known as typosquatting, and as the name suggests, it’s designed to trip up users when they mistype web addresses. The sites are also often used in phishing scams, with criminals hoping that users won’t notice the slight difference in the domain name.
In both cases, the phony site typically masquerades as the genuine one and tricks users into either downloading malware or handing over their personal details.
The most common typos that cyber criminals exploit are:
- Swapping an individual character (41%)
- Inserting an additional character (32%)
- Adding or removing the first or last character (13%)
- Removing a character (6%)
- Adding a hyphen (5%)
- Other (3%)
The report also noted that as many as 95% of web-based attacks incorporate social media in some way. This might be in the form of fake updates, bogus security alerts, or other tricks to persuade users to install malware.
Lastly, it found that Dropbox had the greatest lure for phishing attacks. Twice as many phishing scams used the file-sharing service to entice victims than the next most popular lure (emails supposedly from financial institutions). However, it wasn’t the most successful method. That honor belongs to DocuSign, which had a click rate five times higher than the average.
Tips for avoiding phishing
Proofpoint recommends that organizations train employees to spot socially engineered attacks. Training should focus on the way cyber criminals fool people, such as via typosquatting, or pretending that the message is urgent.
They should also teach employees how to spot malicious emails and condition themselves to sense when they are being manipulated. This is often as simple as taking a moment to reread a seemingly urgent email or checking the sender’s email address.
Proofpoint also advises organizations to perform regular simulated phishing attacks. This involves sending your own employees a phishing email (obviously without the malicious payload) to assess how vulnerable they are.
If you need help with staff awareness courses or simulated phishing emails, IT Governance can help.
Our Phishing Staff Awareness Course covers everything your staff need to know in an easy-to-understanding e-learning module. It explains the types of phishing email you are likely to face, the consequences of a successful attack, how to identify a scam, and how to avoid an attack.
Our Simulated Phishing Attack includes:
- A consultation to determine the extent of the phishing simulation
- Carefully designed non-destructive attacks that target employees of your choice
- A breakdown of the results, which highlights the problem area