UK office workers swamped with phishing emails, study finds

UK office workers are being swamped with phishing emails, a study from training firm PhishMe has revealed

UK office workers are swamped with phishing emails, a study has revealed.

A poll of 1,000 office workers across the UK showed that nearly 60% of UK office workers receive phishing emails every day and 6% receive more than 10 a day.

Phishing emails try to trick the recipient into doing something risky by disguising malicious attachments or links in seemingly genuine content.

If the user does respond, then it could grant the hacker access to the corporate network to acquire sensitive information such as usernames, passwords or R&D information.

The study, commissioned by anti-phishing training firm PhishMe, shows how many phishing emails are successfully bypassing technical controls and end up in users’ inboxes.

Read more about phishing attacks

PhishMe’s experience of tracking the responses of more than 3.8 million users shows around 60% of people will fall for a phish if they have never been trained to recognise the signs.

“Nearly 60% of employees receive phishing emails every day, so clearly technical controls are failing to stop these messages as they pass through the system,” said Scott Greaux, vice-president of product management and services at PhishMe.

“They end up in users’ inboxes and, for many companies, it is purely down to luck if that employee responds,” he said.

Greaux said many users could click on a link or open an attachment and then carry on working, without being fully aware of the implications of their actions.

User education is essential in adding "human sensors" to an organisation’s security infrastructure to improve overall security, he said.

According to Greaux , effective training will ensure employees stop and think twice before believing every email they receive.

“For example, they will know to look at the underlying URL, not just the displayed text, to see where the link is actually going.

“They will look at email headers to try to understand if the email address has been spoofed. And they will use common sense – if something doesn’t seem true or is too good to be true, then they won’t automatically believe it,” Greaux said.

Other research has shown that Spear phishing attacks – attacks that target specific people at enterprises with the aim of gaining a foothold into the corporate network – are at the core of most targeted attacks

In an analysis of targeted attack data collected between February and September 2012, Trend Micro found 91% of targeted attacks involved spear phishing.

Read more on Security policy and user awareness