Beware: Phishing Is Still a Thing, Because It Works

What's Hot

The Most Sinful City in the U.S. Is … (Hint: It’s Not Vegas)Family

How a Mexican Tariff Will Boost the Cost of 6 Common PurchasesFamily

This Free Software Brings Old Laptops Back to LifeMore

How to Protect Yourself From the ‘Can You Hear Me?’ Phone ScamFamily

Report: Walmart to Begin Selling CarsCars

Where to Sell Your Stuff for Top DollarAround The House

Is Your TV Tracking You? Here’s How to Tell — and Prevent ItAround The House

11 Staging Tips to Help You Get Top Dollar When Selling Your HomeAround The House

21 Restaurants Offering Free Food Right NowSaving Money

20 Simple Hacks to Make Your Stuff Last LongerAround The House

4 Car Insurers That Might Raise Rates Even When the Accident Wasn’t Your FaultCars

How to Invest If Trump Kills the ‘Fiduciary Rule’Grow

12 Surprising Ways to Wreck Your Credit ScoreBorrow

9 Secret Ways to Use Toothpaste That Will Make You SmileAround The House

The 2 Types of Music That Most Improve Dog BehaviorFamily

It turns out that old-fashioned phishing has new-fangled ways of taking advantage of us. Be on guard.

Sometimes, people get tired of hearing the same old advice — but they need to hear it again anyway. Eat healthier. Exercise more. Spend less. And: DON’T CLICK ON ATTACHMENTS IN EMAILS YOU DON’T EXPECT.

I know, I know, you would never do that. But you’ll be stunned to find out how many people do. In fact, that’s the big lesson from Verizon’s annual Data Breach Investigations Report. We’ll get to that in a moment. But first, let me discuss human nature — because that’s what we’re really talking about here.

I’d have a really tough time pitching a story to an editor about phishing. That story is so 1999. And yet, there’s a reason your inbox and mine are still full of notes claiming to be from banks that need your account number and password: Phishing works.

And it doesn’t only work on you. It works on big organizations, like hospitals. There are multiple reports that the dramatic ransomware attacks suffered recently by health care providers — you know, the ones that reduced hospitals to scheduling surgeries with pencil and paper — began with successful phishing emails. Yes, employees click on emails, and they click on attachments, and, then, hackers are off to the races.

Why does this keep happening? Human nature is pretty tough to overcome. Think back to one of the original global virus epidemics — the LoveBug. It worked for one reason: Who doesn’t want to get a love letter?

Techniques have only improved since then. Today, hackers can handcraft phishing emails with personal details, such as “Our boss Rick really needs you to open this file for him.”

The other reason phishing works is, to borrow from the bank Pink Floyd, the Momentary Lapse of Reason. You can have your guard up 23 hours and 59 minutes a day (I hope you aren’t reading email that much), but all it takes is one slip, and down the hole the hackers go. We all get distracted and do dumb things. We are all vulnerable some of the time. Hackers have 24 hours every day to attack.

And so, phishing works. In fact, Verizon seems to think it’s actually worked “better” last year than the year before. In the dataset Verizon studied, 30 percent of phishing messages were opened — compared with 23 percent the year before. And 12 percent of the time last year, recipients went on to click a malicious attachment or link, enabling the attack to succeed — in 2014 that figure was 11 percent.

Ever more alarming, on average, it took less than 4 minutes for targeted recipients to open a phishing email and click on a malicious link.  Hackers get to work quickly.

It’s important to know the attacks that targeted hospitals and other organizations are not your father’s phishing. These bad guys aren’t trying to direct victims to a website and trick them into entering credentials or account numbers. They simply want to execute rogue code on the victim’s computer through an exploit, so they can then have their way with the target network — installing ransomware, for example.

In the old-school style of attack, victims had a third moment to pause and consider the gravity of their actions (open the email, click on link, enter data). New phishing emails only offer two such moments, and they are much more passive. That makes phishing more dangerous.

And that’s partly why ransomware made the biggest jump in Verizon’s list of most common attacks.

Email users still aren’t getting the message. As Verizon’s report puts it: “Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff.”

In addition to training, organizations can help themselves by filtering out phishing emails so they never get to employees in the first place. And perhaps most critically, they should carefully segment networks so that when human nature strikes, the damage is limited.

What do you know about the threats that arrive by email? What kind of information would you most like to receive? Share with us in comments below or on our Facebook page.

More from Bob Sullivan:

Stacy Johnson

It's not the usual blah, blah, blah

I know... every site you visit wants you to subscribe to their newsletter. But our news and advice is actually worth reading! For 25 years, I've been making people richer without making their eyes glaze over. You'll be glad you did. I guarantee it!


Read Next: 8 Secret Ways to Save at Walmart

Check Out Our Hottest Deals!

We're always adding new deals and coupons that'll save you big bucks. See the deals to the right and hundreds more in our Deals section.

Click here to explore 1,795 more deals!