Sometimes, people get tired of hearing the same old advice — but they need to hear it again anyway. Eat healthier. Exercise more. Spend less. And: DON’T CLICK ON ATTACHMENTS IN EMAILS YOU DON’T EXPECT.
I know, I know, you would never do that. But you’ll be stunned to find out how many people do. In fact, that’s the big lesson from Verizon’s annual Data Breach Investigations Report. We’ll get to that in a moment. But first, let me discuss human nature — because that’s what we’re really talking about here.
I’d have a really tough time pitching a story to an editor about phishing. That story is so 1999. And yet, there’s a reason your inbox and mine are still full of notes claiming to be from banks that need your account number and password: Phishing works.
And it doesn’t only work on you. It works on big organizations, like hospitals. There are multiple reports that the dramatic ransomware attacks suffered recently by health care providers — you know, the ones that reduced hospitals to scheduling surgeries with pencil and paper — began with successful phishing emails. Yes, employees click on emails, and they click on attachments, and, then, hackers are off to the races.
Why does this keep happening? Human nature is pretty tough to overcome. Think back to one of the original global virus epidemics — the LoveBug. It worked for one reason: Who doesn’t want to get a love letter?
Techniques have only improved since then. Today, hackers can handcraft phishing emails with personal details, such as “Our boss Rick really needs you to open this file for him.”
The other reason phishing works is, to borrow from the bank Pink Floyd, the Momentary Lapse of Reason. You can have your guard up 23 hours and 59 minutes a day (I hope you aren’t reading email that much), but all it takes is one slip, and down the hole the hackers go. We all get distracted and do dumb things. We are all vulnerable some of the time. Hackers have 24 hours every day to attack.
And so, phishing works. In fact, Verizon seems to think it’s actually worked “better” last year than the year before. In the dataset Verizon studied, 30 percent of phishing messages were opened — compared with 23 percent the year before. And 12 percent of the time last year, recipients went on to click a malicious attachment or link, enabling the attack to succeed — in 2014 that figure was 11 percent.
Ever more alarming, on average, it took less than 4 minutes for targeted recipients to open a phishing email and click on a malicious link. Hackers get to work quickly.
It’s important to know the attacks that targeted hospitals and other organizations are not your father’s phishing. These bad guys aren’t trying to direct victims to a website and trick them into entering credentials or account numbers. They simply want to execute rogue code on the victim’s computer through an exploit, so they can then have their way with the target network — installing ransomware, for example.
In the old-school style of attack, victims had a third moment to pause and consider the gravity of their actions (open the email, click on link, enter data). New phishing emails only offer two such moments, and they are much more passive. That makes phishing more dangerous.
And that’s partly why ransomware made the biggest jump in Verizon’s list of most common attacks.
Email users still aren’t getting the message. As Verizon’s report puts it: “Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff.”
In addition to training, organizations can help themselves by filtering out phishing emails so they never get to employees in the first place. And perhaps most critically, they should carefully segment networks so that when human nature strikes, the damage is limited.
What do you know about the threats that arrive by email? What kind of information would you most like to receive? Share with us in comments below or on our Facebook page.
More from Bob Sullivan: