Phishing: How COVID-19 Affects People’s Propensity to Click

Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click?

That’s what we wanted to find out when we conducted our most recent survey. We checked in with thousands of office workers across seven different countries to get a global perspective on phishing and people’s individual click habits. Then we partnered with Dr. Prashanth Rajivan, assistant professor at the University of Washington, to gain a deeper understanding of phishing and those habits, as well as how things have shifted during COVID-19, in our new report: COVID-19 Clicks: How Phishing Capitalized on a Global Crisis.

In this blog post, we’ve summarized this comprehensive report and included tips for how to stay safe, but we strongly encourage you to check out the full writeup.

 Why Do People Still Click?

3 in 10 people worldwide clicked a phishing link in the past year. Among Americans, it’s 1 in 3.

According to Dr. Rajivan, what we need to consider is that human beings aren’t necessarily good at dealing with uncertainty, which is part of why cybercriminals capitalize on upheaval (such as a global pandemic) to launch attacks.

“People aren’t great at handling uncertainty. Even those of us who know we shouldn’t click on emails from unknown senders may feel uncertain and click anyway. That’s because we’ve likely all clicked these kinds of emails in the past and gotten a positive reward. The probability of long-term risk vs. short-term reward, coupled with uncertainty, is a recipe for poor decision-making–or, in this case, clicking what you shouldn’t.”

– Prashanth Rajivan, Ph.D.

 Tip 1

• For businesses: Ensure workers have clear distinctions between work and personal time, devices and obligations. This helps reduce the amount of uncertainty that can ultimately lead to phishing-related breaches.
• For individuals: Hackers often exploit security holes in older software versions and operating systems. Update software and systems regularly to help shut the door on malware.

 Has phishing increased since COVID-19 began?

At least one in five people have received a phishing email related to COVID-19.

There’s no doubt that the global COVID-19 pandemic has changed a lot about how we live and work. According to our survey, 54% of workers spend more time working from home than they did before the pandemic. With more people connecting to the internet outside of corporate networks and away from the watchful eyes of IT teams, it’s to be expected that cybercriminals would take advantage.

“[We’ve seen] massive spikes […] in phishing URLs targeting COVID-related topics. For example, with more people spending time at home, use of streaming services has gone up. In March alone, we saw a 3,000% increase in phishing URLs with ‘youtube’ in the name.

– Grayson Milbourne, security intelligence director, Carbonite + Webroot, OpenText Companies

Regardless, the majority of people surveyed still think they are at least the same level of prepared or more prepared to spot phishing email attempts, now that they’ve spent more time working from home

“People are taking increased physical safety measures in the pandemic, including mask wearing, social distancing, more frequent hand-washing, etc. I think this heightened level of precaution and awareness could cause people to slightly overestimate their overall safety, including their safety regarding online threats.”

– Prashanth Rajivan, Ph.D.

 Tip 2

• For businesses: Know your risk factors and over prepare. Once you’ve assessed the risks, you can create a stronger data breach response plan.
• For individuals: Stay on your toes. By being vigilant and maintaining a healthy dose of suspicion about all links and attachments in messages, you can significantly decrease your phishing risk.

People say they know better. Do they really?

81% of people say they take steps to determine if an email message is malicious. Yet 76% open emails and click links from unknown senders.

When we asked Dr. Rajivan why these numbers don’t line up, he said the difference is between knowing what you should do and actually doing it

“There are huge differences between knowing what to do and actually operationalizing that knowledge in appropriate scenarios. I suspect many people don’t really take the actions they reported, at least not on a regular basis, when they receive suspicious emails.”

– Prashanth Rajivan, Ph.D.

 Tip 3

• For businesses: Back up data and ensure employees can access and retrieve data no matter where they are. Accidents happen; what matters most is being able to recover quickly and effectively. Don’t forget to back up collaboration tools too, such as Microsoft Teams and the Microsoft 365 suite.
• For individuals: Make sure important data and files are backed up to secure cloud storage or an external hard drive. In the case of a hard drive, make sure it’s only connected while backing up, so you don’t risk backing up infected or encrypted files. If it’s a cloud backup, use the kind that lets you restore to a specific file version or point in time.

 What’s the way forward?

All over the world, workers say that in order to be better prepared to handle cyberattacks, they need more