The results of a recent survey conducted by Censuswide has revealed the huge threat that phishing attacks pose to Irish workers due to lack of security training.
The study was conducted on 500 Irish workers by Censuswide, a survey consultancy. The survey was commissioned by Datapac, an Irish IT service management company, in conjunction with Sophos, an IT security organisation.
Phishing attacks are campaigns made by cybercriminals to obtain sensitive information such as passwords or credit card details from a victim by pretending to be a reputable organisation via electronic communication channels. The attacks are often conducted through emails. The emails will look legitimate in an attempt to fool the victim. Often, the victim is directed to a website which is a convincing copy of the genuine site. When the user inputs their credentials into the fake website, the cybercriminal can harvest them and then use them for nefarious purposes, often for financial gain. The effects of this type of identity fraud are often devastating to the victim.
According to the survey, 14% of office workers said that they have been the victim of a phishing attack conducted through email. If this proportion is consistent nationwide, that equates to up to 185,000 Irish office workers. This proportion of office workers falling for phishing attacks is similar to data seen in other counties, such as the United States.
Millennials (roughly aged between 22 and 38) were determined to be the age group most likely to be fooled by a phishing scam, with 17% of millennials surveyed claiming that they had fallen for spoof emails. Only 7% of baby boomers, who are between 54 and 74, reported were caught by fraud. Gen Xers, (39-53 years) were the least likely to fall for a phishing scam, with only 6% reporting they had done so.
While millennials were most likely to fall for a phishing scam, they were also the group that reported the highest confidence in spotting a fake email. Only 14% of those surveyed said that they would not be confident in their ability to spot a fake email. Nearly 17% of Gen Xers and 26% of baby boomers doubted their ability to spot phishing emails.
“Despite millennials’ confidence in their ability to spot an email scam, they were in fact found to have been victims most often. This confidence may stem from complacency and emphasises the need for employers to provide cybersecurity training and ongoing refresher training to ensure all staff remain alert,” said Karen O’Connor, general manager of Datapac.
The survey revealed that in spite of the rise in cyberattacks on organisations and the increasing threat of phishing attacks, one in five workers had not been given any security awareness training on the job. It was revealed that when training was provided, it did not successfully prevent employees from committing unsafe practices. Many office workers admitted to clicking hyperlinks or opening email attachments in messages from unknown senders. The results revealed that 44% of baby boomers admitted having completed one of those actions in the past, compared with 34% of millennials, and 26% of gen Xers.
Phishing campaigns have the potential to cause severe financial and repetitional damage to an organisation. Organisations who experience such attacks and are found guilty of having adequate safeguards in place-which may include improper training of staff-may face lawsuits from customers who have had their data stolen, or fines from regulatory bodies. Although training programs may be expensive in the short-term, their long-term benefits should not be overlooked.
Many organisations implement software that blocks the majority of phishing emails, it is not possible to prevent all phishing emails from being delivered to inboxes. Some emails, particularly those that are well-crafted and appear legitimate, and therefore are most likely to fool the recipient, will get through the filters. Thorough training of employees in simple good practices such as checking the URL of links embedded in emails is essential to prevent a phishing attack. An attacker only needs to fool one member of an organisation to then get a foothold in the network.
Sophos’s country manager Dermot Hayden said the security firm had seen a “pronounced increase” in instances of attempted spear phishing attacks, specifically targeting senior workers who had access to highly valuable financial and organisational information.
“If hackers can gain access to a company’s funds through this method, the financial loss could be disastrous, particularly for SMEs. It is crucial senior employees remain vigilant against these tactics,” he said.
It is recommenced that organisation supplement their annual training sessions with regular short refresher sessions to help develop security awareness.