Most in business will be familiar with the phenomenon: emails that try to trick you into doing something you really shouldn’t, hitting your inbox on a regular basis.
The scams, which vary wildly in their sophistication, include all sorts of tricks from clicking a dubious link, to parting with your bank account details to help out the supposed ex-wife of some dictator who has several million dollars she needs to deposit urgently.
Well research from PhishMe, which says it can help firms train their employees and customers about the risks of spear phishing with just a few simple clicks, found that in the UK nearly 60% of office workers receive phishing emails at work every single day, and 6% receive more than 10 phishing emails every day.
Phishing attacks don’t only put the individual at risk – a successful attack can let the hacker gain access to the corporate network in order to acquire sensitive information such as usernames, passwords or R&D information.
The research, which was conducted by OnePoll for PhishMe amongst 1,000 office workers across the UK, shows how many phishing emails are successfully bypassing technical controls and ending up in users’ inboxes. PhishMe’s experience of tracking the responses of more than 3.8 million users shows that around 60% of people will fall for a phish if they have never been trained to recognise the signs of a phishing email — revealing the scale of the problem these phishing emails can cause.
Scott Greaux, vice president, product management and services from PhishMe said, "Nearly 60% of employees receive phishing emails every day, so clearly technical controls are failing to stop these messages as they pass through the system. They end up in users’ inboxes, and for many companies it is purely down to luck if that employee responds. Our research shows that almost 60% of people will fall for a well-designed phishing email – opening your systems to the criminals and hackers.
"Many users could click on a link or open an attachment and then carry on working, without being fully aware of the implications of their actions. User education is essential – adding ‘human sensors’ to your security infrastructure improves overall security posture and helps ensure users don’t fall victim," Greaux added.
The firm argues that education is the best form of defence against those phishing attacks that get through technical controls, which – just like the way that staff should deal with phishing attacks – seems like a simple case of applying common sense.