Phishing emails have been the first stage of some of the biggest hacks and data leaks of the last few years and groups behind these attacks continue to evolve new strategies.
In a talk at the Black Hat 2019 security conference Google security researcher Elie Bursztein and University of Florida professor Daniela Oliveira detailed why these social engineering attacks remain effective, even though they have been around for decades.
Gmail blocks more than 100 million phishing emails every day, and Google said 68% of the phishing emails blocked by Gmail each day are new variations.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
It said many of the campaigns targeting Gmail end-users and enterprise consumers only target a few dozen individuals; enterprise users are nearly five times more likely to be targeted than standard Gmail users. Education users are twice as likely to be targeted, government users three times more likely and non-profits are 3.8 times more likely to be hit with phishing than the average user.
While bulk phishing campaigns only last for 13 hours, more focused attacks are even more short lived – what Google terms as a ’boutique campaign’ – aimed at just a few individuals in a company – lasts just seven minutes. In half of phishing campaigns the email pretends to have come from the email provider, in a quarter it claims to be from a cloud services provider; after that it’s most likely masquerading as a message from a financial services company or ecommerce site.
The fraudsters and hackers are also up against pretty poor opposition; Google found that 45% of internet users don’t understand what phishing is or the risk associated with it.
As phishing gangs are adept at using psychological tricks (like urgency and the fear of missing out) to trick us into clicking, the failure of users to realise there is a threat is a significant problem. “This lack of awareness increases the risk of being phished and potentially hinders the adoption of 2-step verification,” Google warned.
MORE ON CYBERSECURITY