A new report from F-Secure has revealed that the most technically competent staff are just as likely (if not more likely) to fail a phishing test exercise.
Phishing
Phishing attacks typically involve sending emails that appear to come from a legitimate company/organisation (e.g., a bank) in order to gain an individual’s confidence, so that the recipient will follow a link in the email. Clicking on a link in a phishing email, however, means having malicious software loaded onto the recipient’s device that can allow cybercriminals to take control of a computer, log keystrokes, gain access to your personal information and financial data (for theft and identity theft), or simply be directed to a phishing page / payment page where sensitive information and/or money is taken. Compromising one person’s computer and accounts can also provide a way into wider company systems. It should also be noted that phishing links can be inserted into malicious advertisements, and even direct messages on chat apps.
The Study
The results of a recent test by F-Secure, published in the report ‘To Click or Not to Click: What we Learned from Phishing 80,000 People’, highlighted a comparison of how personnel working in IT or Development Operations (DevOps) responded to (test) phishing emails. The results showed that not only do phishing emails mimicking HR announcements or asking for help with invoicing get the most clicks from recipients but, crucially, people working in ‘technical’ roles seem equally susceptible to phishing attempts (or even more so) than the general population.
Why?
Matthew Connor, F-Secure’s Service Delivery Manager explained why people working in ‘technical’ roles seemed equally or more susceptible to phishing attempts than the general population by saying that: “The privileged access that technical personnel have to an organisation’s infrastructure can lead to them being actively targeted by adversaries.”
Clicked Despite Higher Level Of Awareness
One big concern raised by the study is that despite IT personnel being more aware of previous phishing attempts and knowing more about the threat than others (as evidenced by post-study surveys) they still clicked as often (or more often) on the phishing links.
Speed Of Reporting and Ease Of Reporting Crucial For Security
The study also found that both the IT and DevOps groups were no better at reporting phishing attempts than others (coming 3rd and 6th out of 9 departments) and that IT came 15th out of 17 in terms of reporting the phishing emails. Also, the study highlighted how reporting the phishing emails became more common as time went on, and how different processes at different organisations played a key role in the level of reporting e.g., 47 per cent who had a dedicated button to flag suspicious emails used it to instantly report phishing emails during the study compared to much lower levels of reporting where there was no button.
Clearly, rapid reporting of phishing emails could help businesses to tighten security and raise awareness, but the study highlights how important having a simple, fast, easy-to-use reporting process (a button) in place is.
How To Spot Phishing Emails
Many phishing emails have giveaways that you can spot if you know what you’re looking for. Examples of ways in which you can identify a phishing email include:
– Online requests for personal and financial information e.g., from government agencies, are very unlikely to be sent via email from legitimate sources.
– Generic greetings. Scammers are less likely to use your name to personalise the email greeting and title.
– Mistakes in spelling and grammar can be signs of scam emails.
– Checking the email address by hovering your mouse (without clicking!) over the link in the email. This can quickly reveal if the email is genuine.
– Beware of heavy emotional appeals that urge you to act immediately. These are signs of scam emails that hope to bypass your critical-thinking and tap into an emotional response.
What Does This Mean For Your Business?
As the study’s report pointed out, advanced or even average susceptibility to phishing is a concern and, on the surface, IT staff who should have a higher awareness of phishing, click more often than other staff on phishing links is a worry. However, as highlighted by F-Secure, one explanation may be that IT staff with privileged access to systems may be more actively targeted by adversaries. One really valuable insight uncovered by the study is that providing a fast, easy reporting process for phishing emails can provide a way for security personnel and other teams to work together and improve an organisation’s resilience against phishing, which could mean earlier detection in future, thereby really helping strengthen company security going forward. Cyber security training and awareness efforts are also important in keeping all staff up to date with the nature of threats and how to respond to them in a way that protects the organisation and enables vital feedback.