After phishing, the next variant is 'spear-phishing' attacks, according to respected US security research group SANS Institute, which recently organised a briefing for federal and state security managers in the US.
Spear-phishing attacks are similar to regular phishing scams in that they try to lure victims into sharing confidential data or downloading Trojan horse programs. Yet they are far more targeted, and their e-mails more customised than regular phishing attacks.
User education and training are becoming more effective than e-mail authentication technologies in alleviating the problem, according to the
Cambridge, Massachusetts based Anti-Phishing Working Group.
In a mock phishing scenario conducted between March and May, spoofed e-mails were sent to about 10,000 employees across five state agencies, trying to trick users into surrendering their passwords. More than 75% of the recipients opened the e-mail, 17% followed the link, and 15% attempted to enter their passwords.
However, in an exercise two months later-after users were educated about the technique-only 8% of respondents opened the e-mail.
Makes you wonder what you'd have to do to get that 8% closer to zero.