Why employees still fall for phishing emails

Nearly half of office workers said they had their data compromised. Here's why they keep falling for phishing scams.

Hackers impersonate these 10 brands the most in phishing attacks Phishers often spoof major tech brands in their efforts to gain payments from individuals and businesses, according to a Vade Secure report.

While 80% of employees claimed they are able to discern between a phishing email and a genuine one, nearly half (49%) also said they clicked on a link from an unknown sender while at the office, according to a Webroot report released today. 

Phishing is a method of fraudulently obtaining personal information under the guise of a trusted source, mimicking emails, web pages, or other form of communication. With more than 3 billion phishing attacks sent via email each day, phishing has become one of the most popular ways of stealing employee data. 

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)

Webroot's report, titled Hook, Line, and Sinker: Why Phishing Attacks Work, surveyed 4,000 working professionals across the globe to determine why employees still fall for phishing scams. Nearly half (48%) of office workers said they have had their personal or financial data compromised as part of a breach or hack. Yet, 35% of those hacked didn't change their passwords after the breach. 

Office workers receive an average of 52 emails per day, and with the pressure to remain efficient, quickly scanning these emails and haphazardly clicking on links leaves professionals susceptible to attacks, the report found. The majority of respondents (85%) said they click at least one link in an email each work day, and 70% of respondents said they also do so outside of work.  

Oftentimes, phishing emails are disguised as emails from the professional's own company, making it especially easy to fall for when not paying close attention. Some 60% of respondents said they are more likely to open an email from their boss first, which phishers exploit, the report found.

"One of our clients' employees got an email that was supposedly from their CEO, asking the employee to help them purchase GoogleTM Play Store gift cards with the company credit card. The employee did it and sent over the codes right away, without ever questioning the request," Larry Dukhovny, owner of MyBizGeek Solutions, said in the report. "It's important to make sure employees know they are allowed (and encouraged!) to verify all unusual requests, even from management. Blindly aiming to please the higher-ups could really cost you."

Other times phishing emails may resemble a familiar brand. For example, Phishing scams targeted Mac users with 1.6 million attacks in 2019. Last year there were 1.5 million attacks using Apple's branding.

Overconfident employees

Employees are overconfident when it comes to their cyber hygiene practices, the report found. Nearly all (92%) respondents claimed they check for signs of phishing in emails, but only 43% of office workers said they verify that email links match their supposed destinations. 

"Phishing attacks continue to grow in popularity because, unfortunately, they work," George Anderson, product marketing director of Webroot, said in a press email. "Hackers and criminals weaponize the simple act of clicking and employ basic psychological tricks to inspire urgent action. It is vital that consumers educate themselves on how to protect both their personal and financial data and what steps to take if their information is compromised or stolen."

To remain vigilant against phishing attacks, the report recommended employees maintain strong and unique passwords, keep software and systems up to date, back up data and files to the cloud, and remain wary of emails. 

Further, if you're a G Suite administrator, there are a few things you can do to review and secure accounts once you're notified that Gmail has detected the delivery of a phishing email, as explained in How to respond to phishing emails: 6 steps for G Suite admins.

Also see 

phishing.jpg