Ride the Lightning

In Penetration Tests, 27% of Employees Fall for Phishing E-mails

April 11, 2018

TechRepublic reported on April 9^th that, according to a 2018 report by security firm Positive Technologies, phishing was the most effective form of social engineering attack. 27% of recipients clicked a phishing link, which led to a fake website.

The firm studied its 10 largest penetration testing projects performed for clients in 2016 and 2017. These tests included 3,332 emails sent to employees with links to websites, password entry forms, and attachments, mimicking the work of hackers.

"To make the emails more effective, attackers may combine different methods: a single message may contain a malicious file and a link, which leads to a website containing multiple exploits and a password entry form," Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said in a press release. "Malicious attachments can be blocked by properly configured antivirus protection; however, there is no surefire way to prevent users from being tricked into divulging their password."

At times, employees complained that the malicious files or links would not open. In some cases, these employees tried to open the files or enter their password on the fake site 30-40 times, according to the report. This cracked me up. Some employees won't apply the same determination to their work that they will to getting a fake site to open up and compromise their employer.

Sometimes, they were so frustrated that they were unable to open the files that they forwarded them to the IT department for help—further increasing the risk to the organization, as IT staff are more likely to trust their colleagues and attempt to open the file. Well, the report may say that, but my own experience is that IT folks are far more likely to recognize phishing e-mails, especially when forwarded from employees. IT has been around the block with problematic employees more than a few times!

Hackers have also learned that sending messages from fake companies is less effective than in the past, causing only 11% of risky actions from employees, the report found. However, sending messages from the fake account of a real company and person increases the odds of success to 33%. That makes perfect sense of course – and that does parallel what we see.

But here's what I found to be the most comical part of the report. Attackers carefully select email subject lines to illicit a response from employees, including "list of employees to be fired" (which caused 38% of risky actions), and "annual bonuses" (which caused 25%). Yup, curiosity killed the cat, as did greed (did I get a bonus?).

Running phishing attack simulations is an excellent idea for law firms – and any other kind of entity. You'd be amazed at the extent to which you can reduce your risk for phishing if you adequately train employees.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson