23 per cent of users fall for spear phishing

A new study found that 23 per cent of people worldwide will fall for spear phishing attacks.

Information security consultancy The Intrepidus Group analysed the results of 32 mock-phishing scenarios against 69,000 employees around the world, CEO Rohyt Belani told SCMagazineUS.com. Belani presented findings of the study during this week's InfoSec World Conference in the US.

Belani said that the percentage of employees vulnerable to spear phishing was "astounding."

"Twenty-three percent sounds low, but think of the normal corporation with 5000 employees -- you are talking about almost 1200 vulnerable endpoints," Belani said.

He added that if an attacker targets a number of people in an organisation, at least one or two will click on a phishing email.

But Joshua Perrymon, CEO of PacketFocus, which provides penetration testing services, told SCMagazineUS.com on Monday that even 23 per cent seems low.

"I would say 23 per cent of people fall for generic phishing attacks," Perrymon said. "We see around 70 per cent response with directed attacks."

Perrymon said technology is not playing much of a role in stopping targeted phishing attacks, so enterprises have to rely on user education and security awareness.

Among the other findings of Intrepidus' study: men and women are equally susceptible to phishing attacks. Also, 60 per cent of corporate employees who were susceptible to targeted spear phishing responded to the phishing emails within three hours on average.

The study also found that people are less cautious when clicking on links in emails than when they are requested to provide sensitive data. Additionally, phishing attacks are 40 per cent more successful when they use an "authoritative tone," such as appearing to come from one's boss or the IT department, rather than coming from someone claiming to offer a reward.

"The culture of the US is built on authority and this hold true in our jobs," Perrymon said. "If you are told something with a power of authority, you are going to do what it says without looking farther into it."

Perryman said this cultural trait is even more prevalent in China and Japan.

"Corporations need to continue focusing on making their employees aware of the threats," Belani said.

And Belani said user education should be approached like a marketing exercise -- if users are nodding off, it will never be effective.

"You need to make it interesting and relevant to them," Belani said.