Results of a survey challenging respondents to spot fake emails used for phishing have indicated that a massive 98% of respondents (including a number of IT professionals) failed to recognise email phishing attempts.
The focussed survey, ‘Real or Steal’, conducted last week by leading London-based IT services company, Conosco, targeted a group of senior individuals across a range of SME companies, to gauge how well this ‘IT savvy’ group could identify increasingly sophisticated hacking attempts. 70% got more than half the answers right but only 6% (2 people) managed 100% success, indicating that businesses remain exposed to risk. In fact, lack of staff awareness/training was highlighted as a significant security concern.
The Real or Steal challenge involved participants judging a series of emails and trying to decide whether or not each email was genuine. Out of the examples, most people (93%) correctly identified a PayPal email as being fake. This suggests that either they are already wary of fake PayPal messages or that they are more suspicious when money is mentioned in an email. On the other hand, most participants were fooled by a phony LinkedIn message, with 63% getting it wrong, possibly indicating that when money is not explicitly involved barriers are lowered and complacency rises.
Phishing is an increasingly worrisome problem, particularly in the UK, as the annual Internet Security Report from Symantec (April 2016) points out. In the report, the UK was ranked as ‘the most targeted nation for spear phishing attacks and ransomware in 2015’. Experts believe that SMEs are fast becoming the favoured targets of phishers as they often are perceived as ill-prepared or under-trained. This is backed up by the latest Government Security Breaches Survey, which found that nearly three-quarters (74%) of small organisations reported a security breach in the last year; an increase on both the 2013 and 2014 surveys.
Max Mlinaric, Managing Director for Conosco said, “When there is a security breach in blue chip companies you tend to hear of it, and can wrongly assume large companies are most commonly targeted. SMEs often present easier pickings for the hackers, as IT skills, security levels, awareness and sometimes personnel training are sometimes lower than in large companies which have deeper pockets. It is crucial that SMEs ensure their IT is as secure as possible, that complacency is battled and their staff are regularly trained in resisting phishing attempts.”
The issue of cyber security for small businesses has been given even greater focus by new European Data Protection regulations which will come into force in 2018. Companies could be fined up to €20m or 4% of their annual turnover, whichever is greater, for allowing any security breaches to compromise their customer data. (Although it’s worth noting that this is subject to change depending on how Brexit policies proceed.)
To view tips on how to detect potential phishing emails view
What is phishing
*CERT UK’s definition of phishing “is a particular type of email scam, whereby victims are targeted from seemingly genuine persons or services, with the aim of tricking the recipient into either providing personal details or clicking on something that will allow the attacker to do something you may not be aware of. Spear phishing is a more targeted version of this attack and is often directed at specific people or organisations as opposed to the more blanket campaigns associated with phishing. Some examples might include:
- An email claiming to be from a bank requesting you log in to verify your account due to fraudulent activity that has taken place; a link provided will direct to a website that looks similar to the genuine site which logs your genuine details once inputted
- An email stating that you have been charged for a service you didn’t use, with an attached document that is supposed to be an invoice; upon opening the attachment malicious code then installs on the computer without the user’s knowledge
- An email that appears to come from a high ranking person within your own organisation that requests a payment is made to a particular bank account; this is more commonly associated with spear phishing”