Phishing Still An Effective Hacking Method: Study

by CXOtoday News Desk    Nov 11, 2014


Phishing emails or spam messages that claim to come from a legitimate source but which actually lead to a fake website — are surprisingly a very effective method of hacking into online accounts even today, according to a latest security report. Researchers at Google and the University of California, San Diego, reveal that some websites included in phishing emails successfully trick users up to 45 percent of the time. They did not expect these scams to be so much widespread. The only way to combat this menace is by educating users in a more effective way, says the study.

Researchers looked at 100 phishing emails picked out of a random sample self-reported by Gmail users and found that once the user reaches bogus pages, which tend to copy legitimate sites, one fifth of users unwittingly submit their information to hackers. The study also reviewed a random sample of 100 phishing websites caught by its Safe Browsing system to further understand how the scams work. Investigators were then able to look back and see how people interacted with the emails and websites.

Google noted that this is big business for scammers, as one attacker can be responsible for millions of phishing emails as the study found even on the worst-performing phishing websites, 3 percent of users still submitted their data and on the most effective phishing sites, as many as 45 percent did the same. In fact, researchers said 20 percent of hackers access compromised accounts within 30 minutes of getting their credentials.

“Regular training can ensure your staff are vigilant and prevent these attacks. Security measures too, play a role, but ultimately, encourage people to think before merely clicking,” explains Simon Campbell-Young, a cybersecurity expert in a recent blog.

According to him, the past few years have seen a tremendous rise in the use of email as an attack vector for enterprises and larger entities.

These attacks have also evolved in sophistication. “The next step was the evolution is spear phishing, a highly targeted approach that sends a mail to specific recipients with the hope of breaching their organization,” writes Campbell-Young.

Google also recommends users to report suspicious-looking messages and visit websites directly to login, rather than clicking through a link in your email program. If you’re using Gmail, make sure you’ve set up backup information (like a phone number) that you can use to restore your account if it gets compromised, and switch on two-step verification to make it harder for unwelcome visitors to gain access to your account. The search giant claims to have managed to block 99 percent of hijackings in the last few years.