Pierluigi Paganini May 18, 2015

Intel Security published an a curious study to test consumer knowledge about phishing practice and measure the ability to detect phishing emails.

For this study, Intel Security presented 10 emails where people were asked to identify which emails were phishing with the purpose of steal personal data, and which were legit, legal emails. The data for the study was collected from 144 countries and 19000 people were surveyed.

“To help consumers spot these popular phishing attacks, we developed a quiz to help people learn how to properly identify phishing emails. We shared 10 real emails and you decided whether they were real, or real dangerous. We’ve been doing this for some time, and now that the tests have been turned in, scored and graded, it’s time to take a look at how everyone did.” states the official blog published by McAfee.

The results were:

• Only 3% got all answers right
• 80% of the surveyed people got at least one wrong answer
• The worldwide average score was 65.4%, which means test takers missed one in four phishing emails on average.

If 80% got at least one answer wrong, this means that  the attacker has found the “open door”, since he just needs us to get wrong one time to get his opportunity.

Another interesting data emerged from the study is related to the email that more people got the wrong response … it is the legitimate email. The legit email, consisted in the user taking action and “claim their free ads. Normally people associate “free money” to phishing campaigns, and that was the main reason why some many people got the wrong answer here.

“Phishing emails often look like they are from credible sites but are designed to trick you into sharing your personal information,” “Review your emails carefully and check for typical phishing clues including poor visuals and incorrect grammar, which may indicate that the email was sent by a scammer.” said Gary Davis, Chief Consumer Security Evangelist at Intel Security.

Using the advices provided by Gary Davis, you can follow the following tips to improve defense against phishing attacks:

Do:

• Keep your security software and browsers up to date
• Hover over links to identify obvious fakes; make sure that an embedded link is taking you to the exact website it purports to be
• Take your time and inspect emails for obvious red flags: misspelled words, incorrect URL domains, unprofessional and suspicious visuals and unrecognized senders
• Instead of clicking on a link provided in an email, visit the website of the company that allegedly sent the email to make sure the deal being advertised is also on the retailer’s homepage

Don’t:

• Click on any links in any email sent from unknown or suspicious senders
• Send an email that looks suspicious to friends or family as this could spread a phishing attack to unsuspecting loved ones
• Download content that your browser or security software alerts you may be malicious
• Give away personal information like your credit card number, home address, or social security number to a site or e-mail address you think may be suspicious

Phishing is one of the most insidious cyber threats despite the high level of knowledge on the techniques implemented by criminals. Everyone can fall victim for phishing emails, even people working in IT, but the trick is to follow some steps like the ones provided to help us reduce our mistakes.

Early in my career in IT phishing emails were a big deal, since they had many of spelling mistakes, but today I can’t say the same, because now I see a lots of phishing emails, perfectly writing, since the scammers hire people to do the spell checking for each country, being difficult to distinguish a phishing emails from a legit emails, and that’s why the numbers of this study are so alarming.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs –  phishing, cybercrime)