After phishing, the next variant is 'spear-phishing'
attacks, according to respected US security research group SANS
Institute, which recently organised a briefing for federal and
state security managers in the US.
Spear-phishing attacks are similar to regular phishing scams in
that they try to lure victims into sharing confidential data or
downloading Trojan horse programs. Yet they are far more targeted,
and their e-mails more customised than regular phishing
attacks.
User education and training are becoming more effective than
e-mail authentication technologies in alleviating the problem,
according to the
Cambridge, Massachusetts based Anti-Phishing Working Group.
In a mock phishing scenario conducted between March and May,
spoofed e-mails were sent to about 10,000 employees across five
state agencies, trying to trick users into surrendering their
passwords. More than 75% of the recipients opened the e-mail, 17%
followed the link, and 15% attempted to enter their passwords.
However, in an exercise two months later-after users were
educated about the technique-only 8% of respondents opened the
e-mail.
Makes you wonder what you'd have to do to get that 8% closer to
zero.