A recent phishing study conducted by the UK firm, Computer Disposals Limited, has revealed British workers struggle to identify phishing attacks, with only 5% of participants in the study able to identify all phishing attempts in the test.
The study was conducted on 1,000 individuals who were given a quiz consisting of messages and emails from well known brands such as Amazon, Netflix, Disney Plus, emails from the UK government and replicas of real-world phishing messages. Participants had to say which messages were real and which were scams. 95% failed to identify all of the phishing scams.
The study saw many participants classify a large number of genuine messages as phishing attempts, erring on the side of caution in the study. 44% of respondents were not able to identify the genuine messages in the test, which could mean important messages are being ignored.
The study revealed the British public often trusts messages from well known brands, a fact not missed by cybercriminals who regularly impersonate well known brands in their phishing campaigns. Messages from these well-known companies tend to receive far less scrutiny than messages from brands or individuals that people do not have so much contact with. The survey also revealed that people are less trusting of messages that arrive in their inbox than they are of social media posts and SMS messages on their phones.
“In our quiz, we placed a Facebook message which had a dodgy-looking email address and no personalization. Despite these warning signs, it was the fake email most people trusted,” explained Computer Disposals Limited. “At the opposite end of the scale, our Uber-style email was completely authentic and even offered information such as the IP address and recipient’s name – and yet, still it was the authentic email which received the highest proportion of ‘mark as spam’ clicks.”
The failure to identify all phishing attempts is worrying and a sign that companies need to improve their training for employees. All it takes for a data breach to occur is for one individual to respond to a phishing scam.
Phishing scams can be highly convincing and sophisticated, but there are simple steps that can be taken which will help to identify the scam messages.
The email address of the sender should be carefully checked to make sure the email has been sent from an email account on the domain used by the business. Since email addresses can be spoofed, it is important to check the real email account used to send the message.
Emails that contain spelling mistakes and grammatical errors should be flagged as spam. When companies send messages to their customers, they are subjected to rigorous editorial processes.
Emails that have not been personalized and are addressed “Dear Customer” or similar, suggest the message may have been sent using a stolen database of email addresses. If PayPal or Netflix contact you, the emails will be personalized.
Always check the links in emails to make sure they direct you to the genuine domain of the company. Generally, avoid clicking links in emails. If you receive a warning email from a company, visit the genuine company URL by visiting the site from your bookmark or typing in the correct URL into the address bar of your browser. Do not click the link in the emails.