Are you really confident you could spot a phishing scam?

A successful phishing attack can be child’s play, if the attacker is determined enough.

Password phishing

The folks at Tripwire conducted a survey at the recent RSA security conference in San Francisco.

They polled 200 security professionals about ransomware and phishing. I commented in their ransomware findings elsewhere, but I was also interested to see their stats on whether top-level managers were likely to spot a phishing scam.

Phishing

Sign up to our free newsletter.
Security news, advice, and tips.

The survey found 52% of respondents were “not confident” that their company’s executives would spot a phishing scam.

Does that number surprise you? It did me. Because I think it should be much much higher.

Sure, maybe many people would be able to spot a phishing email claiming to come from their bank or web mail provider by hovering their mouse over the link, and determining it wasn’t going to take them to the legitimate site – but I can imagine more sophisticated phishing attacks than that.

School For instance, a targeted phishing attack might identify where a member of your executive team sends their kids to school.

School websites are typically poorly maintained due to lack of funding, perhaps using a CMS that isn’t kept properly updated and patched, and provide opportunities for determined hackers to break in and create their own pages on the real school website.

It’s well within the capabilities of an attacker to forge an email to the company executive they are targeting, to make it appear as if it comes from the school, and linking to the phishing webpage they have created on the school’s *own* website. Even if your user hovers his mouse over the link, they probably won’t spot anything suspicious.

The likelihood that anyone is likely to check the email’s headers closely is nearly zero.

What’s that? You don’t think anyone would be interested in the credentials parents use to log into their child’s school website? Well, perhaps not – but then bear in mind the worrying proportion of people who use the same password for just about every site they access.

And, of course, the same method could be used to trick a member of your company into visiting a malware-infected webpage on a legitimate website.

Always be on your guard against phishing attacks, and never reuse passwords on different websites.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Are you really confident you could spot a phishing scam?”

  1. coyote

    'Does that number surprise you? It did me. Because I think it should be much much higher.'

    It's interesting. I had the same thought on hotforsecurity but more like: I found the low percentage that were confident they could recover from a ransomware attack as inexcusable (and also pointed out that it should be 'know' and not 'believe'). That they aren't doesn't surprise me but it still is inexcusable (much like FBI suggestion but perhaps a little more excusable since they aren't a major influence on people like the FBI).

    But here I find it the way I'm interpreting your point: that 48% are confident their company's executive isn't surprising to me (because people tend to overrate and underrate things when they should the opposite) but instead seems phishy to me. I believe that the number should be higher, probably at least 90% not confident but I think that would be a positive and optimistic statistic (which is rather scary).

    Everyone can make mistakes and if you're distracted, tired or having a slow (and/or difficult) day then you're more likely to miss warning signs. But even if this doesn't apply to you you're still going to make mistakes at times and depending on the phisherman's ability they may very well reel you in. Being overly confident is also a problem.

  2. Michael Moss

    These numbers are a bit shocking to me, maybe the survey was taken with the Exec looking over their shoulder! Most of the IT people I work with have very little confidence in any of their employees ability to spot a Phishing attack. I try and get my clients to allow me to speak to their employees to educate them on the signs of a good attack and how challenging it can be to spot them.

    We also preach what you recommend regarding a password specific to each site and not a common password for access to your child's school and your bank. That would be an interesting survey?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.