From the most basic ‘you’ve won a prize’ scams to the most advanced espionage campaigns, attacks targeting our inboxes are successful again and again.
There’s a reason cyber criminals and hackers continue to send millions of phishing emails.
Because, no matter whether you’re working from the office or working remotely from home, email still plays a vital part in our working day. Sure, there’s now a place for Slack, or Zoom, or Microsoft Teams, or whatever overlay of productivity software you are expected to use.
But for most people, getting stuff done still comes down to email.
The strengths of email: anyone can email you, and add all sorts of attachments. The weaknesses of email: anyone can email you, and add all sorts of attachments. So, while email is one of the most powerful productivity tools around, it’s also a big source of risk.
Also: What are the best email hosting services and do they protect data?
Most of us are still dealing with email overload (now we also have overload via all those other communications tools, too). Many of you will still be looking at — and trying to respond to — hundreds of messages from colleagues, clients, or anyone else you do business with, every day.
But how long do you spend looking at those emails; are they really who they say they’re from?
Cyber criminals know that our time is tight and that we won’t have a chance to carefully analyse every message that reaches our inbox — one of the reasons why phishing is still so successful.
Criminals are using this technique for all manner of malicious campaigns, whether that’s tricking us into clicking fake — but persuasive — links that ask us to enter our username and password, convincing us to make urgent financial transfers, or duping us into downloading malware or ransomware from malicious attachments. It’s clear that phishing continues to be an effective weapon in the hackers’ cyber arsenal.
Some scoff at how phishing emails are still such an effective attack tool; sometimes they outright blame the victim for opening the spam email and following the instructions — but blaming the victim is wrong.
Also: What is phishing? Everything you need to know to protect against scam emails – and worse
For a start, if antivirus software and spam filters were being used and implemented correctly, there would be far less chance of malicious emails landing in people’s corporate inboxes in the first place — and making that switch is a technology concern, not a people problem.
But it’s also become incredibly difficult for us to process and separate spam emails from everything else that lands in our inboxes, especially, when so many of those emails relate to office admin — and cyber crooks know that’s the case.
According to security awareness and phishing training provider KnowBe4, some of the most common subject lines used in phishing emails during the last year were messages related to IT software updates, messages from HR about performance, and messages that claim your boss has sent a link to join a meeting.
Many of us are used to seeing and clicking on emails like this every single day, as they’re part of how we do our jobs — if you get an email that says it’s from your boss about an unexpected meeting, that’s likely to send you into a panic so you’ll click through.
With messages that claim to be about software updates and security patches, users are often simply trying to do the right thing — but by doing what was asked and thinking they’re helping to protect their computer from cyberattacks, they’re accidentally encouraging one instead.
Also: Google’s hackers: Inside the cybersecurity red team that keeps Google safe
Yet while it’s possible to provide staff with phishing training, this program needs to be effective — and one multiple choice quiz a year isn’t going to cut it. Neither will ‘gotcha’-style phishing tests, where fake phishing emails are designed to be indistinguishable from real emails sent every day.
It’s unlikely that phishing attacks will ever be outright stopped — at least soon, but there are steps that organizations and individuals can take to help ensure they’re as protected against them as possible.
For starters, if you’re uncertain about something, don’t immediately click on it — if the email claims to be from a colleague, use a channel that isn’t email to ask them if they sent it. If it’s an email demanding that urgent action needs to be taken because of an issue with your account, don’t click the link in the email, but instead log in to the account via the official URL — if something is wrong, it will tell you there.
In addition, using multi-factor authentication can go a long way to preventing usernames and passwords of both corporate and personal accounts from being stolen — although it isn’t completely infallible against determined attackers.
Phishing attacks prey on human nature, and they prey on our hopes and our fears, which is why they work. Until we find a replacement for email itself, they’re unlikely to go away.
ZDNET’S MONDAY OPENER
ZDNet’s Monday Opener is our opening take on the week in tech, written by members of our editorial team.