Month: October 2016
So much for counter-phishing training: Half of people click anything sent to them Even people who claimed to be aware of risks clicked out of curiosity.
SEAN GALLAGHER 8/31/2016
Sean is Ars Technica’s IT Editor. A former Navy officer, systems administrator, and network systems integrator
Security experts often talk about the importance of educating people about the risks of “phishing” e-mails containing links to malicious websites. But sometimes, even awareness isn’t enough. A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages—even though most of them claimed to be aware of the risks.
The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month’s Black Hat security conference. Simulated “spear phishing” attacks were sent to 1,700 test subjects—university students—from fake accounts.
The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data—some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year’s Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message “access denied,” but the site logged the clicks by each student.
The messages that addressed the targets by name scored clicks from 56 percent of e-mail targets and 37 percent of Facebook message recipients. But while the less-targeted messages in the second test only yielded 20 percent results for the e-mails, they scored 42 percent via Facebook messages.
“The overall results surprised us, as 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links,” Dr Benenson said in a FAU posting on the research. “And only 20 percent from the first study and 16 percent from the second study said that they had clicked on the link.” But in fact, of those claiming they were security savvy, “we found that 45 and 25 percent respectively had clicked on the links,” Dr Benenson said.
For those who admitted to clicking on the link, the majority said they did so out of curiosity. Half of those who didn’t were warned off because they didn’t recognize the sender’s name, and a small minority avoided clicking because they were concerned about the privacy of the person who may have accidentally sent them the link. “I think that with careful planning and execution, anyone can be made to click on this type of link, even if it’s just out of curiosity,” Benenson said.
Given the vast amount of personal data that’s available to attackers—especially thanks to breaches like the one at the Office of Personnel Management, for example—crafting that sort of message for targets of interest has gotten a lot easier. The bottom line is that telling people not to click strange links is not going to be enough.
By: Steve Evans Freelance journalist, copywriter and editorial consultant
Access to social media and BYOD are the biggest internal security threats businesses face, while organized cybercrime is the greatest external threat, according to a new report from fraud specialists Callcredit Information Group.
The group’s Fraud and Risk 2016 Report found that fraud prevention managers and directors rated employee access to social media websites and services (43%) and BYOD to work (35%) as the biggest obstacles IT faces when it comes to preventing data breaches. Lack of knowledge about security threats (28%) and access to personal email accounts (25%) are also considered problematic.
As well as being worried about those internal threats, fraud managers also fear external risks. Organized cybercrime is listed as the current biggest threat, with 75% of respondents fearing it. Respondents to the survey were also worried about identity fraud (51%), money laundering (50%) and social engineering, such as phishing (46%).
However, many appear to see organized crime as a short-term issue; only 26% think organized crime will still be as big a threat in two or three years. Instead, denial of service is expected to be the primary external threat in the future, ahead of “malicious, external loss or compromise of data” (50%), and “accidental, internal loss or compromise of data by an employee” (50%), and ransomware (48%).
Fraud managers seem particularly worried about internal threats. More respondents (46%) considered the threat of malicious, internal loss of data or fraud by an employee a greater threat than the same threats from external parties (42%).
Despite these worries, many fraud managers feel their organization is ahead of those cyber-criminals who specialize in fraud. Just 13% feel they are behind the fraudsters, while 75% feel on top of things.
The report also brought up interesting reactions to Brexit. While most respondents (57%) feel it will have little impact on the risk of fraud, 28% feel it will increase it. That’s primarily driven by a fear that leaving the EU will reduce information sharing between the UK and European anti-fraud authorities.
“As fraud in our society grows, and as geographically mobile individuals increasingly need to establish their digital identity, so the pressure on fraud and risk professionals to protect their organizations and consumers mounts,” said John Cannon, director, fraud & ID, Callcredit Information Group.
“Whilst fraud professionals might be confident in their abilities to prevent and deal with a potential breach, our research suggests that employees need much more education on the risks. Explaining the threats, giving them suggestions on how to protect themselves and informing them about ways to spot a breach could be instrumental in protecting a company from cybercrime. Organizations are only as strong as their weakest link, and the entire workforce needs to understand what the cyber vulnerabilities are in order to prevent them,” he added.