Up to 60% of office workers are regularly duped by spam phishing messages that put their company’s internal network at risk, a survey by web advisers PhishMe has found.
The survey – which recorded the experiences of 1,000 office workers across the UK – found that employees were targeted by an average of six phishing emails per day, creating a significant risk to private company information and the storage of personal details.
Research conducted by Trend Micro, the global providers of antivirus systems and cloud computing, found that 91% of targeted attacks on corporate networks are initiated through the opening of a spear phishing message.
Aaron Higbee, CTO of PhishMe, has stated that employees are currently underestimating the seriousness of the implications that could occur should their company or personal details be obtained, believing that a lower position in the company hierarchy would remove them as a potential target for phishers.
He said: “Spear phishing is the criminals’ preferred method of choice if they want to get inside an organisation. Some employees falsely believe that their role isn’t important enough for a hacker to attempt to spear phish them. If the attacker’s main goal is to simply obtain access to an internal network, they won’t discriminate.
“We have found that workers are not connected to protecting their corporate assets. They believe it’s the security team’s job to protect them from all outside threats, and that security products alone can protect the ‘corporate crown jewels’.
“However, it’s a different case when it comes to people protecting their own data on their mobile devices or home computers — our experience shows that people are far more likely to be on their guard when looking at emails at home because they have far more to lose than at work.”
“Everyone is a potential target. Their methods are increasingly more sophisticated and use social media more and more to tailor-make emails that trick people into opening them.”
Last month, GFI Software issued a VIPRE report stating that phishing attacks on social media channels had risen to record levels, with spammers becoming particularly active on the sites of industry leading networks, such as Twitter and Facebook, as well as disguising phishing messages as event invitations on LinkedIn.
Some attacks even adopt the guise of the social media network itself, with many employees falling foul of messages claiming to be from Facebook administrators stating that they had violated the company’s policies by insulting or offending other users. They are then asked to re-confirm their details – which are collected by the spammers – to avoid being evicted.
A number even played on the Facebook ‘credit’ system by requesting the first six digits of users’ credit card details, whilst phishing attempts on LinkedIn were aimed directly at those who categorised themselves as occupying a managerial position in order to maximise the potential of the information that could be gathered.
Christopher Boyd, senior threat researcher at GFI Software, said: “More and more young people entering the workforce think of social networking as a standard part of everyday life. By focusing their efforts on these sites, cyber criminals can increase their chances of fooling a larger number of users to unknowingly download malware onto their PCs and mobile devices.
“As a result, these users end up providing social network account information that can be used to reach even more potential victims.”