Few people these days fall for unsolicited emails from Nigerian princes offering juicy commission to transfer funds from a multimillion-dollar inheritance. But still plenty of Kiwis are being sucked in by a rising number of email phishing scams – and you can blame their impulsive email behaviour.
CCL’s security awareness service, which each week sends phishing look-a-like emails to thousands of employees working in organisations across the country, is registering a phishing success rate of 20-to-30 per cent among participating employees presented with their first duplicitous email.
CCL’s Head of Security, Tim Sewell, said analysis showed that while people in all job roles fell victim to phishing attacks, certain personality types, especially Type-A personalities often found working in sales and leadership roles, appear more inclined to click duplicitous links and attachments.
However, personality type wasn’t the only factor to determine susceptibility, he said. “Personal workloads, stress, timing and context also influence the success rates of phising attacks. For example, receiving a phishing email that looks like a courier company when you’re expecting to receive a parcel – bingo.”
Sewell said CCL’s training and education programme had reduced phishing success rates to around five per cent, with well-trained employees now regularly reporting phishing scams and being part of the solution.
In the meantime, real-life phishing incidents were likely to remain high as phishermen got more sophisticated, launching scams from previously compromised email accounts and impersonating trusted providers, such as Microsoft Office 365, Amazon, Google, even the IRD and NZ Post, he said.
“More people are working in the cloud and using browser-based logins to access services. As this behaviour becomes routine, people tend to let their guard down, providing an easy in for fraudsters to steal user login credentials,” said Sewell.
A report published by cloud security firm Avanan shows one in every 99 emails is a phishing attack, using malicious links and attachments as the main vector.
Closer to home, CERT NZ figures show the number of malware reports from Kiwi organisations more than doubled to 43 in the three months ended 31 December.
Phishing campaigns containing malware and targeting business customers of some New Zealand banks contributed to the increase. And in three incidents reported to the NCSC this year, New Zealand organisations lost nearly NZD$800,000 to ‘successful’ fraudulent invoice emails.
Sewell said multi-factor authentication (also known as MFA) helped reduce credential theft – one of the main prizes from phishing attacks – by requiring users to authenticate themselves to a website by another method, in addition to the standard username and password login procedure.
However, he said the additional cost of MFA and the inconvenience to users who are quick to moan about laboured access discouraged adoption, increasing the “attack surface” for criminals.
“And that’s a big problem, because once the bad guys have captured a user’s credentials their behaviour goes largely unnoticed – because there isn’t anything to trigger a security alert,” said Sewell. “That gives the crims time to watch and learn, email customers with revised payment details, send out mocked-up invoices, gain the trust of contacts linked to the compromised email account, and reply to existing emails.”
He said regular friendly phishing exercises, multi-factor authentication, and anti-phishing technology were essential steps in the current cybersecurity landscape, - though tweaking existing policies in some cases was the fastest way to bolster defences, he said.
“For example, financial policies should ensure requests to change payment details are authorised and properly validated, without relying on email. Don’t accept emails as authorisation of payment method. And if someone keeps taking the phishing bait, maybe they’re in the wrong job,” said Sewell.