Everyone has received very obvious “phishing” e-mails: Messages in your in-box that have outrageous subject lines like “Your Account Will Be Suspended,” or, “You Won!”
While some phishing attacks are obvious, others look harmless, such as those in a person’s workplace in-box, seemingly from their company’s higher-ups.
Researchers point out that an e-mail may appear to come from the company’s HR department, for example. E-mails with an “urgent email password change request” had a 28% click rate, Wombat security reported.
Phishing victims act too quickly.
In the workplace, instead of phoning or texting the HR department about this password reset, or walking over to the HR department (a little exercise never hurts), they quickly click.
So one way, then, to protect yourself from phishing attacks is to stop acting so fast! Take a few breaths. Think. Walk your duff over to the alleged sender of the e-mail for verification it’s legit.
Wombat’s survey reveals that 42% of respondents reported malware infections, thanks to hasty clicking. However, employees were more careful when the e-mail concerned gift card offers and social media.
The report also reveals:
- 67% were spear phished last year (spear phishing is a targeted phishing attack).
- E-mails with an employee’s first name had a 19% higher click rate.
- The industry most duped was telecommunications, with a 24% click rate.
- Other frequently duped industries were law, consulting and accounting (23%).
- Government was at 17%.
So as you see, employees continue to be easy game for crooks goin’ phishin.’
And attacks are increased when employees use outdated plug-ins: Adobe PDF, Adobe Flash, Microsoft Silverlight and Java.
The survey also reveals how people guard themselves from phishing attacks:
- 99% use e-mail spam filters.
- 56% use outbound proxy protection.
- 50% rely on advanced malware analysis.
- 24% use URL wrapping.
These above approaches will not prevent all phishing e-mails from getting into your in-box. Companies must still rigorously train employees in how to spot phishing attacks, and this training should include staged attacks.
- Assume that phishing e-mails will sometimes use your company’s template to make it look like it came from corporate.
- Assume that the hacker somehow figured out your first, even last name, and that being addressed by your full name doesn’t rule out a phishing attack.
- Get rid of the outdated plug-ins.
Phishing attacks are also prevalent outside the workplace, and users must be just as vigilant when on their personal devices.
Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.