BROOMFIELD, Colo., Sept. 24, 2019 /PRNewswire/ -- Webroot, a Carbonite (CARB) company, released a report, Hook, Line and Sinker: Why Phishing Attacks Work, that sheds light on psychological factors impacting an individual's decision to click on a phishing email. Executed in partnership with Wakefield Research, the report surveyed 4,000 office professionals from the U.S., U.K., Japan and Australia (1,000 per region) to determine what people know about phishing tactics, what makes them click on a potentially malicious link and other security habits.
While a majority (79%) of people reported being able to distinguish a phishing message from a genuine one, nearly half (49%) also admit to having clicked on a link from an unknown sender while at work. Further, nearly half (48%) of respondents said their personal or financial data had been compromised by a phishing message. However, of that group more than a third (35%) didn't take the basic step of changing their passwords following a breach. Not only is this false confidence potentially harmful to an employee's personal and financial data, but it also creates risks for companies and their data.
There is no foolproof way to prevent being phished but taking a layered approach to cybersecurity including ongoing user training will significantly reduce risk exposure. As Forrester points out in its report, Now Tech: Security Awareness and Training Solutions, Q1 2019, "your workforce should treat cybersecurity awareness with the same importance they use for ensuring that their projects, products, and messages are on key with company brand. Invest in solutions that weave security best practices throughout your corporate culture."
Read the Full Webroot Report: Hook, Line and Sinker: Why Phishing Attacks Work
Employees are falsely confident when it comes to knowledge of phishing
- 79% of participants say they can distinguish a phishing message from a genuine one
- 81% of participants are aware that phishing attempts can occur through email, but fail to recognize the many other ways hackers conduct phishing attacks:
- 60% of participants believe phishing attempts can come through social media
- 59% of participants believe phishing can come via text or SMS messages
- 43% of participants believe that phishing attempts are made via phone calls
- Only 22% believe phishing attempts can come through video chat
Nearly half (48%) of participants say they have had their personal or financial data compromised, but many fail to take basic cyber hygiene action following that exposure
- In the wake of a data exposure, only:
- 65% of participants changed their passwords, meaning 35% did not change their password
- 48% of participants ordered a new credit card
- 43% of participants set up alerts with their credit agency
Security habits leave businesses vulnerable
- Nearly half (49%) of participants admit to clicking on a link from an unknown sender while at work, with nearly one third of respondents overall (29%) admitting to doing so more than once
- Of those who clicked a link from an unknown sender at work:
- A majority (74%) did so via email
- 34% clicked on links via social media
- 29% clicked on links sent via text or SMS
- Of the 67% of respondents who know they've received a phishing message at work, 39% did not report it
Employees are more click happy outside of work
- In a typical day when not working, 70% of employees are likely to click on at least one link received via email
- 31% of participants click on more than 25 personal-life links a day
- 56% of participants are more likely to click on a link or open an attachment from an unknown source on their personal computer
Nearly two-thirds of respondents (60%) are most likely to open an email from their boss first, compared to:
- 55% who would first open a message from a family member or friend
- 31% who would first open a request from their bank to confirm a transaction
- 28% of people would first open a message with a discount offer from a store
George Anderson, Product Marketing Director, Webroot, a Carbonite Company
"Phishing attacks continue to grow in popularity because, unfortunately, they work. Hackers and criminals weaponize the simple act of clicking and employ basic psychological tricks to inspire urgent action. It is vital that consumers educate themselves on how to protect both their personal and financial data and what steps to take if their information is compromised or stolen.
For businesses that means implementing regular simulated phishing and external attacks that address the various ways hackers attempt to breach organizations through their users. By combining the latest detection, protection, prevention and response technology with consistent attack training and education, IT Security departments can tackle the people, process and technology combinations needed to successfully mitigate attacks."
Cleotilde Gonzalez, Ph.D., Research Professor, Carnegie Mellon University
"Security and productivity are always in a tradeoff. People put off security because they are too busy doing something with a more 'immediate' reward. These findings illuminate the pertinent need for a mindset makeover, where the longer-term reward of security doesn't get put on the back burner."
- Webroot Security Awareness Training
- Webroot's 2019 Annual Threat Report
- Phishing: Don't Take the Bait
- 'Smishing': An Emerging Trend of Phishing Scams via Text Messages
- Just Keep Swimming: How to Avoid Phishing on Social Media