Beware: Phishing Is Still a Thing, Because It Works

What's Hot

How to Cut the Cable TV Cord in 2017Family

8 Major Freebies and Discounts You Get With Amazon PrimeSave

Study: People Who Curse Are More HonestFamily

8 Creative Ways to Clear ClutterAround The House

15 Things You Should Always Buy at a Dollar StoreMore

Pay $2 and Get Unlimited Wendy’s Frosty Treats in 2017Family

5 Reasons to Shop for a Home in DecemberFamily

This Free Software Brings Old Laptops Back to LifeMore

Should You Donate to Wreaths Across America? A Lesson in Charitable GivingAround The House

6 Reasons Why Savers Are Sexier Than SpendersCredit & Debt

Resolutions 2017: Save More Money Using 5 Simple TricksCredit & Debt

10 Free Things That Used to Cost MoneyAround The House

7 New Year’s Resolutions to Make With Your KidsFamily

10 Simple Money Moves to Make Before the New YearFamily

The 3 Golden Rules of Lending to Friends and FamilyBorrow

It turns out that old-fashioned phishing has new-fangled ways of taking advantage of us. Be on guard.

Sometimes, people get tired of hearing the same old advice — but they need to hear it again anyway. Eat healthier. Exercise more. Spend less. And: DON’T CLICK ON ATTACHMENTS IN EMAILS YOU DON’T EXPECT.

I know, I know, you would never do that. But you’ll be stunned to find out how many people do. In fact, that’s the big lesson from Verizon’s annual Data Breach Investigations Report. We’ll get to that in a moment. But first, let me discuss human nature — because that’s what we’re really talking about here.

I’d have a really tough time pitching a story to an editor about phishing. That story is so 1999. And yet, there’s a reason your inbox and mine are still full of notes claiming to be from banks that need your account number and password: Phishing works.

And it doesn’t only work on you. It works on big organizations, like hospitals. There are multiple reports that the dramatic ransomware attacks suffered recently by health care providers — you know, the ones that reduced hospitals to scheduling surgeries with pencil and paper — began with successful phishing emails. Yes, employees click on emails, and they click on attachments, and, then, hackers are off to the races.

Why does this keep happening? Human nature is pretty tough to overcome. Think back to one of the original global virus epidemics — the LoveBug. It worked for one reason: Who doesn’t want to get a love letter?

Techniques have only improved since then. Today, hackers can handcraft phishing emails with personal details, such as “Our boss Rick really needs you to open this file for him.”

The other reason phishing works is, to borrow from the bank Pink Floyd, the Momentary Lapse of Reason. You can have your guard up 23 hours and 59 minutes a day (I hope you aren’t reading email that much), but all it takes is one slip, and down the hole the hackers go. We all get distracted and do dumb things. We are all vulnerable some of the time. Hackers have 24 hours every day to attack.

And so, phishing works. In fact, Verizon seems to think it’s actually worked “better” last year than the year before. In the dataset Verizon studied, 30 percent of phishing messages were opened — compared with 23 percent the year before. And 12 percent of the time last year, recipients went on to click a malicious attachment or link, enabling the attack to succeed — in 2014 that figure was 11 percent.

Ever more alarming, on average, it took less than 4 minutes for targeted recipients to open a phishing email and click on a malicious link.  Hackers get to work quickly.

It’s important to know the attacks that targeted hospitals and other organizations are not your father’s phishing. These bad guys aren’t trying to direct victims to a website and trick them into entering credentials or account numbers. They simply want to execute rogue code on the victim’s computer through an exploit, so they can then have their way with the target network — installing ransomware, for example.

In the old-school style of attack, victims had a third moment to pause and consider the gravity of their actions (open the email, click on link, enter data). New phishing emails only offer two such moments, and they are much more passive. That makes phishing more dangerous.

And that’s partly why ransomware made the biggest jump in Verizon’s list of most common attacks.

Email users still aren’t getting the message. As Verizon’s report puts it: “Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff.”

In addition to training, organizations can help themselves by filtering out phishing emails so they never get to employees in the first place. And perhaps most critically, they should carefully segment networks so that when human nature strikes, the damage is limited.

What do you know about the threats that arrive by email? What kind of information would you most like to receive? Share with us in comments below or on our Facebook page.

More from Bob Sullivan:

Stacy Johnson

It's not the usual blah, blah, blah

I know... every site you visit wants you to subscribe to their newsletter. But our news and advice is actually worth reading! For 25 years, I've been making people richer without making their eyes glaze over. You'll be glad you did. I guarantee it!


Read Next: 8 Secret Ways to Save at Walmart

Check Out Our Hottest Deals!

We're always adding new deals and coupons that'll save you big bucks. See the deals to the right and hundreds more in our Deals section.

Click here to explore 1,839 more deals!