New Intel Security study shows that 97% of people can’t identify phishing emails

Intel Security published an a curious study to test consumer knowledge about phishing practice and measure the ability to detect phishing emails.

For this study, Intel Security presented 10 emails where people were asked to identify which emails were phishing with the purpose of steal personal data, and which were legit, legal emails. The data for the study was collected from 144 countries and 19000 people were surveyed.

“To help consumers spot these popular phishing attacks, we developed a quiz to help people learn how to properly identify phishing emails. We shared 10 real emails and you decided whether they were real, or real dangerous. We’ve been doing this for some time, and now that the tests have been turned in, scored and graded, it’s time to take a look at how everyone did.” states the official blog published by McAfee.

The results were:

  • Only 3% got all answers right
  • 80% of the surveyed people got at least one wrong answer
  • The worldwide average score was 65.4%, which means test takers missed one in four phishing emails on average.

If 80% got at least one answer wrong, this means that  the attacker has found the “open door”, since he just needs us to get wrong one time to get his opportunity.

Another interesting data emerged from the study is related to the email that more people got the wrong response … it is the legitimate email. The legit email, consisted in the user taking action and “claim their free ads. Normally people associate “free money” to phishing campaigns, and that was the main reason why some many people got the wrong answer here.

“Phishing emails often look like they are from credible sites but are designed to trick you into sharing your personal information,” “Review your emails carefully and check for typical phishing clues including poor visuals and incorrect grammar, which may indicate that the email was sent by a scammer.” said Gary Davis, Chief Consumer Security Evangelist at Intel Security.

Using the advices provided by Gary Davis, you can follow the following tips to improve defense against phishing attacks:

Do:

  • Keep your security software and browsers up to date
  • Hover over links to identify obvious fakes; make sure that an embedded link is taking you to the exact website it purports to be
  • Take your time and inspect emails for obvious red flags: misspelled words, incorrect URL domains, unprofessional and suspicious visuals and unrecognized senders
  • Instead of clicking on a link provided in an email, visit the website of the company that allegedly sent the email to make sure the deal being advertised is also on the retailer’s homepage

Don’t:

  • Click on any links in any email sent from unknown or suspicious senders
  • Send an email that looks suspicious to friends or family as this could spread a phishing attack to unsuspecting loved ones
  • Download content that your browser or security software alerts you may be malicious
  • Give away personal information like your credit card number, home address, or social security number to a site or e-mail address you think may be suspicious

Phishing is one of the most insidious cyber threats despite the high level of knowledge on the techniques implemented by criminals. Everyone can fall victim for phishing emails, even people working in IT, but the trick is to follow some steps like the ones provided to help us reduce our mistakes.

Early in my career in IT phishing emails were a big deal, since they had many of spelling mistakes, but today I can’t say the same, because now I see a lots of phishing emails, perfectly writing, since the scammers hire people to do the spell checking for each country, being difficult to distinguish a phishing emails from a legit emails, and that’s why the numbers of this study are so alarming.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs –  phishing, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

4 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

11 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

23 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.