With 3.4 billion malicious emails sent every day, phishing poses a massive risk to organisations of all sizes.
However, the threat doesn’t just come from the volume of scams, but their idiosyncrasy. The measures you put in place to protect you from most cyber attacks – anti-malware, perimeter scans, vulnerability assessments, etc. – are inadequate when it comes to phishing, because fraudsters doesn’t exploit technological weaknesses.
They instead target employees using a tactic known as social engineering.
What is social engineering?
Social engineering is a collective term for the ways people are manipulated into performing certain actions.
In an information security context, it refers to the methods fraudsters use to get people to hand over sensitive information and expose themselves to malware.
Phishing is a classic example of social engineering, as the scams emulate legitimate organisations and attempt to trick people into complying with a request.
How do phishing scams manipulate us?
In some ways, it seems impossible that people could fall for phishing. Awareness is at a record high, popular targets like Amazon have dedicated phishing prevention pages and many bogus emails do a poor job of imitating their target.
Yet phishing is as successful as ever. Why? Because it taps into people’s fears to such an extent that they can’t spot the signs of bogus emails.
For example, many messages replicate services that possess sensitive information or are essential for the user’s quality of life. This explains the prevalence of phishing emails that relate to tax forms or entertainment services like Netflix.
A 2017 PhishMe survey found that fear was the most effective motivating factor for someone to click a link or open an attachment in a phishing email.
The organisation sent a series of benign phishing emails to respondents and found that the most successful scam spoofed a bar association that claimed that a grievance had been filed against the recipient. It tricked 44% of respondents.
A similar scam email imitating an accountancy firm that claimed a complaint had been filed against the recipient was successful 34% of the time.
Catching us off guard
Although people are always susceptible to phishing, cyber criminals increase their chances of success by sending scams at times when we are most vulnerable.
Phishing has a comparatively low success rate when the recipient is busy or thinking about something else when they receive the message. The sense of urgency is diminished on, say, Monday mornings, when employees have plenty of other urgent tasks.
When they come back to the email a few hours later, they are more likely to notice the things that seem suspicious. Or, if the message is imitating a colleague, they’ll see that person in the office, ask about their request and realise that it was a scam.
Criminals therefore try to send scams when people are most likely to take action right away, which means scheduling them for times when recipients are least likely to be busy. Fridays are sometimes considered the peak time for phishing, but you’re just as likely to fall victim during the middle of the week.
Whatever day it is, the consensus is that you’re most vulnerable during your lunch break and in the early afternoon. This is because most of us take a break from whatever task we were doing. We might use the time to check our emails, and the message may appear as we sit there with no other tasks at hand.
How vulnerable are your staff?
There’s a simple way to assess how big of a threat phishing poses to your organisation: send your employees a scam email.
This might sound reckless, but it’s perfectly safe. Our Simulated Phishing Attack service sends your employees a typical example of a phishing email without the malicious payload.
This gives you the opportunity to monitor how your employees respond. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact a senior colleague to warn them?
You can use the answers to guide your information security measures and to act as a reference point when it comes to staff awareness training.
A version of this blog was originally published on 23 November 2016.