We Are Still Not Great at Spotting Phishing Emails

The United States reports more phishing scams than any other country. Software As A Service (SaaS) company, Diligent Corporation wrote that 156 million phishing email messages are sent out each day, with 16 million of them making it past spam and phishing filtering tools. In 2016, approximately 225,000 of these were sent out each month. To determine just how good we are at identifying these, Diligent surveyed over 2,000 people between the ages of 18 and 75 and the bottom line: We are very poor at distinguishing real messages from fake ones.

Two dozen email messages were sent to survey respondents. The goal was to find out just how successful they were at identifying email messages designed to scam them. The following percentages were the success rates as to how often they were tricked based on various details in the message:

- 68.3% if the message appeared to come from a co-worker asking to schedule a meeting.
- 60.8% from a social media site.
- 37.6% from the file-sharing site Dropbox stating a file is being shared with the recipient.
- 26.7% from a software company requesting that an update to an account be made.
- 23.9% from a social media company asking for login details to be changed.
- 22.1% involved a court notice of some type.
- 16.6% were supposedly from banks requesting information in order to restore account access.
- 14.7% appeared to be from the IRS advising the recipients of a tax refund.

As can been seen here, it is not so easy to spot the scams. There are warning signs, that are certainly not guaranteed to be a successful giveaway, but that can give us a few clues:

- Spelling and grammatical errors
- Generic greetings, such as “Dear User”
- The sender is not familiar or the information inside the message doesn’t make a lot of sense
- Requests that make something seem very urgent or that are threatening, such as “if you don’t send money now, your account will be locked”
- Requests for personal or sensitive information
- Something that is too good to be true
- The web address or URL is odd or suspicious
- Requests for money, especially in the form of gift cards or wire transfers
- The details of the message are vague and require the recipient to click on a link or download a file in order to get the missing details

A good rule of thumb for determining if something should be clicked, opened, or personal details sent as a result of an email received is to use common sense. If it is sent from an unfamiliar sender, includes vague details, is unexpected, or just seems suspicious, trust that instinct and put the message in the trash. To verify or change any account details, just go directly to the website login.

Interestingly, the lowest success rate for the email messages were those that claimed “you’re a winner.” Those duped fewer than 3%. The age group that was the best at spotting the fakes were between 45 and 54. The worst were over 65 followed closely by those between 18 and 24.

© Copyright 2017 Stickley on Security