Research from PhishMe has uncovered the scale of the phishing problem in UK businesses – with more than a quarter (27%) of office workers not knowing what phishing is, yet more than three quarters (78%) responding said that they had never fallen for a phishing attack. Phishing emails, which are spoofed emails that try to trick recipients into doing something they shouldn't, let hackers gain access to the corporate network in order to acquire sensitive information such as usernames, passwords or R&D information.
The research, conducted by OnePoll amongst 1,000 office workers across the UK, showed that more than 1 in 5 people admit to having been tricked by a phishing email into clicking a link or opening an attachment, but more worrisome is the 78% that thinks they have never fallen for a phishing email. In PhishMe's experience of tracking the responses of more than 3.5 million users, around 60% of people will fall for a phish if they have never been trained to recognize the signs of a phishing email.
Scott Greaux, Vice President, Product Management and Services from PhishMe said, "Spear phishing is the criminals' method of choice if they want to get inside an organisation. They send well-researched emails to a handful of individuals inside companies they want to infiltrate. The emails are designed to get the recipient to react – either by clicking a link, opening an attachment or providing personal information. User education is essential – to change their behaviour and help ensure your employees don't fall victim."
If phishers want to get inside your company, they can be very imaginative. They might research an individual and learn that they were at an event last week, and send an email saying "It was great to meet you at ABC conference last week, here's a link to some of the research we covered on the day which might be interesting to you". It's relevant to the recipient so they might click the link without thinking.
However, trained employees will know to look at the underlying URL, not just the displayed text, to see where it is actually going. They will look at email headers to try to understand if the email address has been spoofed. And they will use common sense – if they don't remember meeting that person they won't click on the link. (Likewise, if they didn't enter a raffle for an iPad, they won't believe the email that tells them they won!)
Greaux continued, "Effective education needs to be immersive. Mock up phishing emails and send them to your employees, and see what they do. If they click on the link, open the attachment or provide personal data, then provide immediate feedback in the form of training. Repeat the training on a regular basis and you will quickly see that the percentage of people who fall for it will quickly drop."
Note: The PhishMe survey was conducted by One Poll among 1,000 office workers across the UK.