Phishing still rules, because we’re still gullible

For years, phishing attacks were viewed largely as a consumer security problem. Attackers would target users with an email that tempted them into a fraudulent 411 [check] scam, or to share their account numbers and sign on credentials with a bogus Web site.

Not anymore.

It’s become clear, going to back to the so-called 2009 Operation Aurora attacks that phishing attacks work. Regarding those attacks, a Forrester Research analyst quoted an aerospace company employee who was familiar with the exploit-laced Adobe PDF files that came attached to the spear-phished emails.

“This kind of stuff is driving the defense contractors nuts. They should know better, yet they are still affected,” the source said at the time.

Spear-phishing attacks — those that use information about someone to target them directly as part of an attack — are all the more successful. The viability of phishing attacks were revealed more recently with the successful attack against RSA Security and then the related attack on defense contractor Lockheed-Martin.

Internet security awareness training firm KnowBe4, LLC recently conducted a test to see what percentage of Inc. 5000 companies would be susceptible to phishing attempts. In one phase of the test, the firm hired a reputable bulk email service to send simulated phishing emails to employees at 81 companies. Of those 81 companies, only two blocked the phishing attack, and of those 45 percent of firms had one employee or more click on the link. In a follow-up test, a one-time mail server was set up to send the phish. That netted a 15 percent response rate in less than a day.

Also see: “Phishing: The basics“

“The success rate of the attacks is surprisingly low,” says Pete Lindstrom, research director at Spire Security. “I thought the results would had of been higher for a test like that,” he says.

Security experts are divided on whether security awareness training would have much success in driving the number of successful phishing attacks down. While some experts purport security awareness training would lesson the viability of such attacks, others strongly disagree.

“We find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01 percent of them a modest annual pain,” wrote Microsoft Research’s Cormac Herley in his paper, “So Long, and No Thanks for the Externalities. The Rational Rejection of Security Advice by Users.”

Such costs could be everything from using strong passwords to never clicking on links embedded within email. A certain percentage of the population will ignore this advice, no matter how many times they’re told not to, because the direct cost to them for ignoring it is so low. “The value to risk ratio for people clicking on links is way too high. People are going to click on links,” says Lindstrom.

George V. Hulme writes about security, technology, and business from his home in Minneapolis, Minnesota. You can also find him on Twitter as @georgevhulme. He clicks on everything.