All the time spent ticking boxes in cybersecurity training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim "Think before you click".
Phishing is a common technique used by cyber criminals to lure victims into doing what the hacker wants, whether that is providing personal information or downloading malware. It typically occurs via email, thanks to messages designed to look genuine, and which usually require the recipient to take some form of action.
For example, phishing emails can claim to be from the post office and ask the user to re-schedule a fake delivery, or from the bank requiring some sort of update or confirmation; they sometimes look like they come from corporate departments. What they all have in common is that they try to convince the recipient to take action by clicking a link, providing some sensitive information or downloading an attachment, giving the hacker a way into carrying out an attack.
While phishing can occur through various means, including social media and even the phone, email is the most common method, which accounted for over half of infection attempts in 2020.
Targeting corporate emails, therefore, is an easy way for criminals to use employees as a bridge to hack a company, which is why businesses spend huge amounts of time and money on educating their staff so that they don't fall for the trick.
According to F-Secure's analysis, users submitted an average 2.14 emails each during the period of the research. On average, organizations with 1,000 seats report 116 emails per month.
The most common reason users gave for reporting emails was a suspicious link, which was cited in almost 60% of the cases, and closely followed by spotting incorrect or unexpected senders. Participants also mentioned suspicious attachments and suspected spams as reasons to flag.
F-Secure's analysis shows that some words and phrases are associated with a high risk of phishing. They include "Warning", "Your funds has" or "Message is for a trusted".
This points to a common denominator in phishing emails: they are often made to play with the victim's emotions, and designed so that clicking on a bad link is the most intuitive and easiest thing to do.
But F-Secure's new study seems to show that employees still have a good eye for a phishing email. "You often hear that people are security's weak link. That's very cynical and doesn't consider the benefits of using a company's workforce as a first line of defense," said F-Secure director of consulting, Riaan Naude. "Employees can catch a significant number of threats hitting their inbox if they can follow a painless reporting process that produces tangible results."
Naude, however, also pointed out that employee-led efforts in the field of cybersecurity can also create huge amounts of additional work for cybersecurity teams that are already swamped.
And the number of emails reported by employees is only increasing. Over the past 18 months, cybersecurity teams have effectively had to adapt to the rise of remote working, which has hugely expanded the attack surface that hackers can target. As new working practices were deployed in a hurry, malicious hackers were able to exploit the reduced level of monitoring activity to target corporations even more aggressively.