From the most basic ‘you’ve won a prize’ scams to the most advanced espionage campaigns, attacks targeting out inboxes are successful again and again.
There’s a reason cyber criminals and hackers continue to send millions of phishing emails.
Because, no matter whether you’re working from the office or working remotely from home, email still plays a vital part in our working day. Sure, there’s now a place for Slack, or Zoom, or Microsoft Teams, or whatever overlay of productivity software you are expected to use.
But for most people, getting stuff done still comes down to email.
The strengths of email: anyone can email you, and add all sorts of attachments. The weaknesses of email: anyone can email you and add all sorts of attachments. That makes it one of the most powerful productivity tools around – and a big source of risk.
Most of us are still dealing with email overload (now we also have overload via all those other communications tools, too). That means you are still potentially looking at – and trying to respond to – hundreds of messages from colleagues, clients or anyone else you do business with, every day.
But how long do you spend looking at those emails; are they really who they say they’re from?
Cyber criminals know that our time is tight and we’re not going to have a chance to carefully analyse every message which reaches our inbox – one of the reasons why phishing is still so successful.
And they’re using it for all manner of malicious campaigns; from tricking us into clicking fake – but convincing – links asking us to enter our username and password, convincing us to make urgent financial transfers, to duping us into downloading malware or ransomware from malicious attachments, phishing continues to be an effective weapon in the hackers’ cyber arsenal.
Some scoff at how phishing emails are still such an effective attack tool; sometimes they outright blame the victim for opening the spam email and following the instructions – but blaming the victim is wrong.
Also: What is phishing? Everything you need to know to protect against scam emails – and worse
For a start, if anti-virus software and spam filters were being used and implemented correctly, in most cases, there’s far less chance of malicious emails landing in people’s corporate inboxes in the first place – that’s a technology problem, not a people problem.
But in addition it’s become incredibly difficult for us to process and separate spam emails from everything else which lands in our inbox, especially, when for many of us, so many of those emails relate to office admin – and cyber crooks know it.
According to security awareness and phishing training provider KnowBe4some of the most common subject lines used in phishing emails during the last year are related to IT software updates, messages from HR about performance and messages which claim your boss has sent you a link to join to a meeting.
Many of us are used to seeing and clicking on emails like this every single day, as they’re part of how we do our jobs – if you get an email that says it’s from your boss about an unexpected meeting, that’s likely to send you into a panic so you’ll click through.
Then with messages which claim to be about software updates and security patches, the user is just trying to do the right thing – ironically in this case, by doing what was asked and thinking they’re helping to protect their computer from cyber-attacks, they’re accidentally encouraging one instead.
Also: Google’s hackers: Inside the cybersecurity red team that keeps Google safe
But while it’s very possible to provide staff with phishing training, it needs to be effective – one multiple choice quiz a year isn’t going to cut it. But neither will ‘gotcha’ style phishing tests, where fake phishing emails appear to be designed to be indistinguishable from real emails the victim will be sent every day.
It’s unlikely that phishing attacks will ever be outright stopped – at least soon – but there are steps which organizations and individuals can take to help ensure they’re as protected against them as possible.
For starters, if you’re uncertain about something, don’t immediately click on it – if the email claims to be from a colleague, use a channel that isn’t email to ask them if they sent it. If it’s an email demanding urgent action needs to be taken because of an issue with your account, don’t click the link in the email, but instead login to the account via the official URL – if something is wrong, it will tell you there.
In addition to this, using multi-factor authentication (MFA) can go a long way to prevent usernames and passwords of both corporate and personal accounts being stolen – although it isn’t completely infallible against determined attackers.
Phishing attacks prey on human nature, they prey on our hopes and our fears, which is why they work. And until we find a replacement for email itself, they’re unlikely to go away.
ZDNET’S MONDAY OPENER
ZDNet’s Monday Opener is our opening take on the week in tech, written by members of our editorial team.