'Coworker' Phish Mails, Social Media Lures Fool Most Americans

Written by

As smartphones become more sophisticated, so do the phishing tactics used to coerce unsuspecting Americans into giving out sensitive financial information. For instance, 68% of Americans were tricked by emails that looked like they were from a coworker.

That’s according to an experiment by Diligent, which put more than 2,000 people to the test, surveying them on their experiences as well as seeing if they could discern real emails from fake ones. In addition to the faux coworker messages, Americans reliably fell for social media messages with the phrase, “Did you see this pic of you? LOL”—this gambit fooled nearly 61% of participants.

On the other hand, fewer than 3% of respondents fell for an email claiming they won a big cash prize from a soft drink company, and less than 6% fell for a contest claiming they won a credit card voucher.

The takeaway? While Americans are getting better at detecting generic phishing attempts, those that are even superficially personalized are succeeding in tricking people at much higher rates.

An estimated 156 million phishing emails are sent worldwide every day, according to the US Postal Service, and about 16 million of those make it through spam filters and into our inboxes. In fact, the global nonprofit Anti-Phishing Working Group (APWG) recorded more unique phishing campaigns in the first quarter of 2016 than in any other three-month span since it began tracking data more than a decade ago, with an alarming jump from about 99,000 documented campaigns in January 2016 to over 229,000 in March 2016. In all, there has been a nearly tenfold increase in phishing in just five years.

The results for the cybercriminals are there: More than 50% of Diligent participants said they’ve had an unauthorized charge on their credit cards, 33% said their email accounts had been hacked, and 24% reported having their social media accounts hijacked.

These emails will say that you’ve won a prize, that a friend is stranded abroad, that there’s a problem with your account, or that you just need to update your credit card or password information. Spelling and grammatical mistakes are warning signs that the email is a fake, as is a generic opening that doesn’t address you by name, or offers that seem too good to be true. And indeed, anything that claimed “you’re a winner” in the Diligent experiment had the lowest success rate.

But as Americans have become more suspicious, scammers have had to work harder to seem legitimate. Many copy company logos and hide their web addresses behind seemingly innocent aliases. Personalization boosts success rates even further.

Medium-level success was seen with emails declaring a problem with an account or a new security measure—these tricked nearly 27% of respondents. Social media companies allegedly implementing new login procedures, credit-card companies asking the user to open an attachment and verify account details, online merchants saying they’ve temporarily suspended an account, and even banks asking the user to “click here” to restore account access also had fair success.

Overall, the average score on the phishing quiz was 76.9%—a C+ in most American classrooms.

“[This] doesn’t sound so bad until you realize that one in four phishing attempts fooled the group,” the report noted. “That’s pretty scary when it comes to giving out personal financial information, but it can also affect work—missing a real meeting request from your boss could have unpleasant career consequences….Phishing victims can be any age or gender and can come from any walk of life, which is why it’s important to know the risks and take measures to protect your data, secure your communications, and stay away from risky emails.”

What’s hot on Infosecurity Magazine?