Despite warnings to be vigilant in following links in mails and the like, phishing continues to be an effective tactic for infiltrating enterprise networks. Testing the ability of 18,000 business users globally in detecting online scams, the McAfee Phishing Quiz uncovered that only 7% of business users were able to identify whether a set of 10 emails were phishing emails or the real thing.
Since the last report, McAfee Labs has collected more than 250,000 new phishing URLs globally, leading to a total of nearly one million new sites in the past year. Not only did they see an increase in total volume, but a significant rise in the sophistication of the phishing attacks occurring in the wild. Results showed both mass campaign phishing and spear phishing to still be rampant in the attack strategies used by cyber-criminals around the world.
“As highlighted by our latest report, phishing continues to pose significant security risks for businesses and consumers alike,” said Raj Samani, EMEA CTO for McAfee, in a statement. “More worryingly, perhaps, is the lack of education around how to spot a phishing email amidst the many emails we’re sent on a daily basis. But phishing is only a small drop in the wider security threat landscape, which is ever-changing and increasingly complex. It’s no longer enough to react to threats as and when they happen.”
On a regional note, a full 79% of the 1,755 UK participants failed to detect at least one of seven phishing emails.
By a wide margin, the results show that business users in the UK are more likely to fall for a phishing attempt if it uses a spoofed sender email address – more than any other tactic tested. In fact, 62% of business users fell for an attempt that used a legitimate-appearing email address from UPS; and 52% fell for an email appearing to come from eFax.
Furthermore, results showed that finance and HR departments in that country, those holding some of the most sensitive corporate data, performed the worst at detecting scams. These had 64% and 62% accuracy rates, respectively.
Research and development (R&D) departments proved to be the strongest at detecting phishing emails, with 77% accuracy, followed closely by those in IT at 73%. Those same R&D workers in the UK also performed significantly better at detecting phishing emails than the rest of the world (which had an average of 66%) and against global R&D departments (69%).
Meanwhile, the United States continues to host more phishing URLs than any other country.
Phishing aside, in its Q2 Quarterly Threat Report, McAfee found that there have been new cybercrime opportunities since the public disclosure of the Heartbleed vulnerability, as stolen data from the continuingly vulnerable websites is still being sold on the black market. Lists of unpatched websites have quickly become hit lists for cybercriminals and tools are readily available to mine unpatched sites. With these tools, it is possible to tie together an automated system that targets known vulnerable machines and extracts sensitive information.
New malware samples rose by only 1% in the second quarter. However, with more than 31 million new samples, this was still the largest amount recorded in a single quarter. The total count of mobile malware increased by 17% in the second quarter, while the rate of new malware appears to have leveled off at about 700,000 per quarter.
Denial of service attacks meanwhile rose by 4% in the second quarter and remain the most prevalent type of network threat.