Phishing test results in a barely-passing grade for users

Perhaps hundreds of emails cross your screen every day. The day can drag on and in the monotony of your daily routine, you just keep clicking on links without a care in the world.

OK, maybe things aren’t that bad, but those phishing scams are tricky and it takes ever-vigilant users and security departments to keep them from spreading. Recently, Diligent, a vendor that provides secure collaboration for corporate boards, rolled out a test to 2,000 users to see how much attention they were paying to what enters their in-box.

An estimated 156 million phishing emails are sent worldwide every day, and about 16 million of those make it through our spam filters and into our inboxes. The global nonprofit Anti-Phishing Working Group (APWG) recorded more unique phishing campaigns in the first quarter of 2016 than in any other three-month span since it began tracking data more than a decade ago, and the U.S. is reportedly home to more phishing sites than any other country, according to Diligent.

Diligent found that there has been a nearly tenfold increase in phishing in just five years, with a particularly alarming jump from about 99,000 documented campaigns in January 2016 to over 229,000 in March 2016 – just three months.

The users in this study were duped the most by emails that came from what appeared to be someone they knew.

Diligent

Often, these emails will tell you that you’ve won a prize, that a friend is stranded abroad, that there’s a problem with your account, or that you just need to update your credit card or password information. Those who took the survey were not fooled by someone saying they won a prize or a trip. You know the saying, “If it is too good to be true, it probably is.”

More than 50 percent of survey respondents said they’ve had an unauthorized charge on their credit cards, 33 percent said their email accounts had been hacked, and 24 percent reported having their social media accounts hijacked.

The big red flags for users were when an email did not address them by name. Spelling and grammatical errors were also key indicators that the email was actually a phishing scam. Other ineffective emails were those purporting to be from the IRS, but users generally have gotten the message that the IRS will never contact you by email — although there have been incidents where users sent Apple iTunes gift cards after being told that would help their case.

Diligent said emails declaring a problem with an account or a new security measure tricked nearly 27 percent of respondents. Social media companies allegedly implementing new login procedures, credit card companies asking the user to open an attachment and verify account details, online merchants saying they’ve temporarily suspended an account, and even banks asking the user to “click here” to restore account access also duped a portion of respondents.

“When our survey respondents tried to spot a real email mixed in with the fakes, they were right more than 60 percent of the time. Still, that means that they flagged real emails as spam nearly 40 percent of the time – enough to do lasting damage to an account, friendship, or other important relationship. The lesson: Try to determine if the email really is spam before marking it as such,” Diligent said.

The average score on the phishing test was 76%, which might be average in the classroom but doesn’t quite cut it in fighting off scam artists.

 

Thanks to Ryan Francis for this article