Webroot: Employees Highly Vulnerable to Phishing Attempts

While most employees say they can distinguish a phishing message from a genuine one, a high number have clicked on links from unknown senders at work, and nearly one-third admitted doing so more than once.

That’s according to “Hook, Line and Sinker: Why Phishing Attacks Work,” a new report released by Webroot, a Carbonite company, and conducted in partnership with Wakefield Research. Some 4,000 office professionals from the U.S., U.K., Japan and Australia were surveyed to determine what people know about phishing tactics, what makes them click on a potentially malicious link, and other security habits.

Webroot’s George Anderson

George Anderson, Webroot’s product marketing director, tells us the report highlights the need for everyone to be aware of the various forms of attack that aim to take advantage of the “open, trusting nature of Westerners,” and to treat all communications as suspicious, even “those from people we know.”

Opportunities for MSSPs and other cybersecurity providers include providing continuous department/function-relevant training on the latest human firewall attacks, and to look at processes for validating activities and specify the best way to handle different requests at an organizational level to avoid breaches or scams succeeding, he said.

In addition, organizations need to invest in proper cyber awareness training and education programs that are effective and relevant to those being trained, and to look at creating “human firewall” risk scores to identify the most vulnerable and look at additional protections, Anderson said.

“There is a great deal of evidence that training and simulations do significantly reduce the risks, he said.

Nearly one-half of respondents said their personal or financial data had been compromised by a phishing message. However, of that group, more than one-third didn’t take the basic step of changing their passwords following a breach. Not only is this false confidence potentially harmful to an employee’s personal and financial data, but it also creates risks for companies and their data, according to Webroot.

Some 81% of participants are aware that phishing attempts can occur through email, but fail to recognize the many other ways hackers conduct phishing attacks: Sixty percent believe phishing attempts can come through social media; 59% believe phishing can come via text messages; 43% believe that phishing attempts are made via phone calls; and only 22% believe phishing attempts can come through video chat.

Nearly two-thirds of respondents are most likely to open an email from their boss first, compared to: 55% who would first open a message from a family member or friend; 31% who would first open a request from their bank to confirm a transaction; and 28% of people would first open a message with a discount offer from a store, according to the report.

Inadequate training is contributing to the problem, Anderson said. That includes training being ad hoc and not consistent; being heavy to administer and relegated to those with no real interest in its success; best practices not being clear; or training not being done at all, he said.

“You are also dealing with human nature and accepted norms of behavior, so while education will reduce these factors over time — education is a long-game activity, so progress will take time,” Anderson said.

“Security and productivity are always in a tradeoff,” Cleotilde Gonzalez, research professor at Carnegie Mellon University, said about the findings. “People put off security because they are too busy doing something with a more ‘immediate’ reward. These findings illuminate the pertinent need for a mindset makeover, where the longer-term reward of security doesn’t get put on the back burner.”