BROOMFIELD, Colo., Sept. 24, 2019 /PRNewswire/ -- Webroot, a Carbonite (CARB) company, released a report, Hook, Line and Sinker: Why Phishing Attacks Work, that sheds light on psychological factors impacting an individual's decision to click on a phishing email. Executed in partnership with Wakefield Research, the report surveyed 4,000 office professionals from the U.S., U.K., Japan and Australia (1,000 per region) to determine what people know about phishing tactics, what makes them click on a potentially malicious link and other security habits.
While a majority (79%) of people reported being able to distinguish a phishing message from a genuine one, nearly half (49%) also admit to having clicked on a link from an unknown sender while at work. Further, nearly half (48%) of respondents said their personal or financial data had been compromised by a phishing message. However, of that group more than a third (35%) didn't take the basic step of changing their passwords following a breach. Not only is this false confidence potentially harmful to an employee's personal and financial data, but it also creates risks for companies and their data.
There is no foolproof way to prevent being phished but taking a layered approach to cybersecurity including ongoing user training will significantly reduce risk exposure. As Forrester points out in its report, Now Tech: Security Awareness and Training Solutions, Q1 2019, "your workforce should treat cybersecurity awareness with the same importance they use for ensuring that their projects, products, and messages are on key with company brand. Invest in solutions that weave security best practices throughout your corporate culture."
Employees are falsely confident when it comes to knowledge of phishing
79% of participants say they can distinguish a phishing message from a genuine one
81% of participants are aware that phishing attempts can occur through email, but fail to recognize the many other ways hackers conduct phishing attacks:
60% of participants believe phishing attempts can come through social media
59% of participants believe phishing can come via text or SMS messages
43% of participants believe that phishing attempts are made via phone calls
Only 22% believe phishing attempts can come through video chat
Nearly half (48%) of participants say they have had their personal or financial data compromised, but many fail to take basic cyber hygiene action following that exposure
In the wake of a data exposure, only:
65% of participants changed their passwords, meaning 35% did not change their password
48% of participants ordered a new credit card
43% of participants set up alerts with their credit agency
Security habits leave businesses vulnerable
Nearly half (49%) of participants admit to clicking on a link from an unknown sender while at work, with nearly one third of respondents overall (29%) admitting to doing so more than once
Of those who clicked a link from an unknown sender at work:
A majority (74%) did so via email
34% clicked on links via social media
29% clicked on links sent via text or SMS
Of the 67% of respondents who know they've received a phishing message at work, 39% did not report it
Employees are more click happy outside of work
In a typical day when not working, 70% of employees are likely to click on at least one link received via email
31% of participants click on more than 25 personal-life links a day
56% of participants are more likely to click on a link or open an attachment from an unknown source on their personal computer
Nearly two-thirds of respondents (60%) are most likely to open an email from their boss first, compared to:
55% who would first open a message from a family member or friend
31% who would first open a request from their bank to confirm a transaction
28% of people would first open a message with a discount offer from a store
Key Quote: George Anderson, Product Marketing Director, Webroot, a Carbonite Company "Phishing attacks continue to grow in popularity because, unfortunately, they work. Hackers and criminals weaponize the simple act of clicking and employ basic psychological tricks to inspire urgent action. It is vital that consumers educate themselves on how to protect both their personal and financial data and what steps to take if their information is compromised or stolen.
For businesses that means implementing regular simulated phishing and external attacks that address the various ways hackers attempt to breach organizations through their users. By combining the latest detection, protection, prevention and response technology with consistent attack training and education, IT Security departments can tackle the people, process and technology combinations needed to successfully mitigate attacks."
Key Quote: Cleotilde Gonzalez, Ph.D., Research Professor, Carnegie Mellon University "Security and productivity are always in a tradeoff. People put off security because they are too busy doing something with a more 'immediate' reward. These findings illuminate the pertinent need for a mindset makeover, where the longer-term reward of security doesn't get put on the back burner."