“I will never click on suspicious links or give my passwords to anyone.” I am sure we all could say this and be totally confident with the statement.
Unfortunately, this is not true. Not even close to the truth.
F-Secure shared some data on Wednesday to prove their case. Their experts sent out a fake LinkedIn email to see how many of the client organization’s employees would click on a link in an unsolicited email.
52 percent of employees clicked.
In another test, F-Secure’s red team created an email leading to a fake portal where employees would need to log in using their domain credentials.
26 percent of recipients followed the email link to the portal, and 13 percent actually entered their login credentials.
“You’d be amazed by what people click on while they’re working. They’re not stupid, just caught off-guard, not necessarily expecting to be duped,” Tom Van de Wiele, Principle Security Consultant at F-Secure, said in a statement.
F-Secure said attackers consistently prey on companies that have what cyber security experts call a “false sense of security” when it comes to relying too much on technology to defend their networks.
“Using technology to solve human problems just doesn’t work, and anyone telling you different is selling magic beans,” Van de Wiele said. “Real-life attackers, especially criminals, live off perfecting subtle social engineering tricks that trick human beings into letting their guard down. And letting employees believe that cutting edge security technologies will handle everything gives a false sense of security, which is something today’s attackers are counting on.”
Phishing exemplifies what Van de Wiele says are failings related to overconfidence in technology. According to PwC’s Global State of Information Security Survey 2017, phishing was the No 1 vector for cyber attacks targeting financial institutions in 2016. And based on the spread of managed phishing-as-a-service bundles on the dark net, these attacks are likely to become more prevalent going forward.