Security researchers at Fortinet recently quizzed their readers about how savvy they were when it comes to identifying phishing emails. Predictably, and depressingly, Fortinet found a large percentage couldn’t tell the tricks from the treats. (The survey was done just before Halloween.)
Phishers are getting more clever over time, and it is harder than ever to separate legitimate email from messages intended to steal your passwords, your money and your pride.
With all of the information on phishing that is available, and the warnings over the years about what to do and not to do, it’s amazing that this is still a problem. But, let’s face it: End users are not security professionals, and many of us go through our email in-boxes without much of a critical eye.
In addition, phishing schemes are getting more and more sophisticated. It used to be that phishing messages were riddled with grammatical and spelling errors, or just looked wrong. Today, it’s not always easy to pick up on a message with malicious intent. Modern phishers craft their messages carefully, using realistic banner images from the target institution or language that is copied directly from real emails and Web pages.
The growing challenge in discerning email fact from fiction was reflected in the results of the Fortinet quiz, which asked readers to self-select into one of three groups:
- -Absolute beginner
- -Your average netizen
- -Veteran security professional
“As expected, the veterans scored just a little bit better than everyone else, falsely identifying a phishing email just 16% of the time,” the blog reporting the results states. “Conversely, the newbies received bad marks nearly 32% of the time. The middle group marked wrong answers at an average of 21%.”
That is a lot of wrong answers (although, interestingly, one newbie scored perfectly).
Take the quiz for yourself and see how well you can spot the phony emails. But, more importantly, use this exercise as a way to talk to your users and sensitize them to the issues surrounding phishing and its dangers. Security training should be an ongoing affair, providing end users with information about new threats.
“Email is the tried-and-true medium for spammer, and to know that they are still succeeding 20% of the time is a clear call to action for all those security and IT professionals out there.” states the blog. “[Twenty percent] of your organization is at serious risk of clicking on a phishing email today. What are you going to do about it?”