All the time spent ticking boxes in cybersecurity training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim "Think before you click".
IT security company F-Secure analyzed over 200,000 emails that were flagged by employees from organizations across the globe in the first half of 2021, and found that 33% of the reports could be classified as phishing.
Phishing is a common technique used by cyber criminals to lure victims into doing what the hacker wants, whether that is providing personal information or downloading malware. It typically occurs via email, thanks to messages designed to look genuine, and which usually require the recipient to take some form of action.
For example, phishing emails can claim to be from the post office and ask the user to re-schedule a fake delivery, or from the bank requiring some sort of update or confirmation; they sometimes look like they come from corporate departments. What they all have in common is that they try to convince the recipient to take action by clicking a link, providing some sensitive information or downloading an attachment, giving the hacker a way into carrying out an attack.
While phishing can occur through various means, including social media and even the phone, email is the most common method, which accounted for over half of infection attempts in 2020.
Targeting corporate emails, therefore, is an easy way for criminals to use employees as a bridge to hack a company, which is why businesses spend huge amounts of time and money on educating their staff so that they don't fall for the trick.
According to F-Secure's analysis, users submitted an average 2.14 emails each during the period of the research. On average, organizations with 1,000 seats report 116 emails per month.
The most common reason users gave for reporting emails was a suspicious link, which was cited in almost 60% of the cases, and closely followed by spotting incorrect or unexpected senders. Participants also mentioned suspicious attachments and suspected spams as reasons to flag.
F-Secure's analysis shows that some words and phrases are associated with a high risk of phishing. They include "Warning", "Your funds has" or "Message is for a trusted".
This points to a common denominator in phishing emails: they are often made to play with the victim's emotions, and designed so that clicking on a bad link is the most intuitive and easiest thing to do.
Despite regular cybersecurity training and reminders that they should be careful, therefore, there is always a risk that employees will be deceived. Researchers have previously found that the average response rate to phishing attacks among employees stands at around 20%, with higher clickrates found for phishing simulations that contain authority or urgency clues.
But F-Secure's new study seems to show that employees still have a good eye for a phishing email. "You often hear that people are security's weak link. That's very cynical and doesn't consider the benefits of using a company's workforce as a first line of defense," said F-Secure director of consulting, Riaan Naude. "Employees can catch a significant number of threats hitting their inbox if they can follow a painless reporting process that produces tangible results."
Naude, however, also pointed out that employee-led efforts in the field of cybersecurity can also create huge amounts of additional work for cybersecurity teams that are already swamped.
And the number of emails reported by employees is only increasing. Over the past 18 months, cybersecurity teams have effectively had to adapt to the rise of remote working, which has hugely expanded the attack surface that hackers can target. As new working practices were deployed in a hurry, malicious hackers were able to exploit the reduced level of monitoring activity to target corporations even more aggressively.
The UK's National Cyber Security Centre's (NCSC) removed about 1.4 million URLs responsible for 700,000 online scams last year – that is, more content in 12 months than was taken down in the previous three years combined.