The folks at Tripwire conducted a survey at the recent RSA security conference in San Francisco.
They polled 200 security professionals about ransomware and phishing. I commented in their ransomware findings elsewhere, but I was also interested to see their stats on whether top-level managers were likely to spot a phishing scam.
The survey found 52% of respondents were “not confident” that their company’s executives would spot a phishing scam.
Does that number surprise you? It did me. Because I think it should be much much higher.
Sure, maybe many people would be able to spot a phishing email claiming to come from their bank or web mail provider by hovering their mouse over the link, and determining it wasn’t going to take them to the legitimate site - but I can imagine more sophisticated phishing attacks than that.
For instance, a targeted phishing attack might identify where a member of your executive team sends their kids to school.
School websites are typically poorly maintained due to lack of funding, perhaps using a CMS that isn’t kept properly updated and patched, and provide opportunities for determined hackers to break in and create their own pages on the real school website.
It’s well within the capabilities of an attacker to forge an email to the company executive they are targeting, to make it appear as if it comes from the school, and linking to the phishing webpage they have created on the school’s *own* website. Even if your user hovers his mouse over the link, they probably won’t spot anything suspicious.
The likelihood that anyone is likely to check the email’s headers closely is nearly zero.
What’s that? You don’t think anyone would be interested in the credentials parents use to log into their child’s school website? Well, perhaps not - but then bear in mind the worrying proportion of people who use the same password for just about every site they access.
And, of course, the same method could be used to trick a member of your company into visiting a malware-infected webpage on a legitimate website.
Always be on your guard against phishing attacks, and never reuse passwords on different websites.