A version of this blog was originally published on 8 January 2018.
On average, one in ten emails is a phishing scam. With all that experience, you’d think we’d be pretty good at spotting malicious messages by now.
According to a PhishMe survey, many of us think that’s the case. Very few respondents said they were likely to be lured by the most common pitfalls of phishing scams:
- Urgency: 10.7%
- Fear: 10.4%
- Opportunity: 7.8%
To see whether respondents really weren’t tempted by such scams, PhishMe sent them a series of simulated phishing emails.
Unsurprisingly, respondents were far more likely to open phishing emails that preyed on fear, urgency and curiosity than they thought.
PhishMe’s simulated phishing email warning about an apparent Ebola outbreak was opened by 27.9% of respondents.
An email purportedly from an accountancy firm that claimed a complaint had been filed against the recipient was opened by 34.2% of respondents, and a message saying the recipient was eligible for medical insurance was clicked by 39.2% of recipients.
The most successful phishing attack spoofed a bar association, and claimed that a grievance had been filed against the recipient. It was opened by 44% of respondents.
These weren’t the only types of phishing scam that proved successful, though. Simulated attacks imitating holiday e-cards were opened by 24.8% of respondents, apparent adverts for rewards programmes were opened by 22.3% of respondents, and various other celebratory e-cards and employee satisfaction surveys were opened by 17.2% of respondents.
- 5 ways to detect a phishing email – with examples
- 75% of organisations have been hit by spear phishing
- Mid-sized organisations are the most vulnerable to phishing attacks
- 4 reasons why phishing is so successful
Why do people fall for phishing scams?
In some ways, it’s seems impossible that phishing attacks remain so successful. Most people are aware of their existence, many scams do a poor job of imitating their target, and popular targets like Amazon have dedicated phishing prevention pages.
Meanwhile, the tactics that cyber criminals use haven’t changed much over the years, meaning there are well-established signs that can help you detect phishing scams.
Unfortunately, no matter how obvious phishing emails may be, it’s hard to spot those clues the moment you read them. The manufactured sense of urgency and our fear and curiosity often override our better judgement, and even if it’s for a moment, the damage has been done.
How can you prevent phishing emails?
There’s another reason people fall for phishing emails, and it presents an opportunity to help us fall victim less often.
That so many respondents mistakenly believed they were unlikely to fall for fraudsters’ tactics suggests that victims’ downfall is partly because of overconfidence. We are certain that we can spot a phishing email when we see one, and because our alarm bells didn’t ring when we saw this email, it can’t be malicious.
This might well be why young people are more likely to fall for phishing scams than over-55s.
So, perhaps the trick to staying safe is to admit that phishing emails are harder to spot than you think, and to take the time to learn about how to spot malicious emails.
Organisations can help employees gain this knowledge with the help of our Phishing Staff Awareness Course.
This online course uses example attacks to explain how phishing emails work and the damage they can cause. It also shows you how to identify malicious messages and what to do if you think you’ve received one.