The folks at Tripwire conducted a survey at the recent RSA security conference in San Francisco.
They polled 200 security professionals about ransomware and phishing. I commented in their ransomware findings elsewhere, but I was also interested to see their stats on whether top-level managers were likely to spot a phishing scam.
The survey found 52% of respondents were “not confident” that their company’s executives would spot a phishing scam.
Does that number surprise you? It did me. Because I think it should be much much higher.
Sure, maybe many people would be able to spot a phishing email claiming to come from their bank or web mail provider by hovering their mouse over the link, and determining it wasn’t going to take them to the legitimate site – but I can imagine more sophisticated phishing attacks than that.
For instance, a targeted phishing attack might identify where a member of your executive team sends their kids to school.
School websites are typically poorly maintained due to lack of funding, perhaps using a CMS that isn’t kept properly updated and patched, and provide opportunities for determined hackers to break in and create their own pages on the real school website.
It’s well within the capabilities of an attacker to forge an email to the company executive they are targeting, to make it appear as if it comes from the school, and linking to the phishing webpage they have created on the school’s *own* website. Even if your user hovers his mouse over the link, they probably won’t spot anything suspicious.
The likelihood that anyone is likely to check the email’s headers closely is nearly zero.
What’s that? You don’t think anyone would be interested in the credentials parents use to log into their child’s school website? Well, perhaps not – but then bear in mind the worrying proportion of people who use the same password for just about every site they access.
And, of course, the same method could be used to trick a member of your company into visiting a malware-infected webpage on a legitimate website.
Always be on your guard against phishing attacks, and never reuse passwords on different websites.
'Does that number surprise you? It did me. Because I think it should be much much higher.'
It's interesting. I had the same thought on hotforsecurity but more like: I found the low percentage that were confident they could recover from a ransomware attack as inexcusable (and also pointed out that it should be 'know' and not 'believe'). That they aren't doesn't surprise me but it still is inexcusable (much like FBI suggestion but perhaps a little more excusable since they aren't a major influence on people like the FBI).
But here I find it the way I'm interpreting your point: that 48% are confident their company's executive isn't surprising to me (because people tend to overrate and underrate things when they should the opposite) but instead seems phishy to me. I believe that the number should be higher, probably at least 90% not confident but I think that would be a positive and optimistic statistic (which is rather scary).
Everyone can make mistakes and if you're distracted, tired or having a slow (and/or difficult) day then you're more likely to miss warning signs. But even if this doesn't apply to you you're still going to make mistakes at times and depending on the phisherman's ability they may very well reel you in. Being overly confident is also a problem.
These numbers are a bit shocking to me, maybe the survey was taken with the Exec looking over their shoulder! Most of the IT people I work with have very little confidence in any of their employees ability to spot a Phishing attack. I try and get my clients to allow me to speak to their employees to educate them on the signs of a good attack and how challenging it can be to spot them.
We also preach what you recommend regarding a password specific to each site and not a common password for access to your child's school and your bank. That would be an interesting survey?