In a study conducted by TNS Global for Halon, an email security service, 30 percent of those surveyed admitted they would open an email, even if they were aware that it contained a virus or was otherwise suspicious. To be fair, the study only included 1,000 adults within the U.S., so this isn't a national index by any means.
Of those surveyed, one in eleven admitted to infecting their system after they opened a malicious email attachment. Given the fact that email is still an easy way for attackers to gain access to the network, often via social engineering (phishing/spear phishing), the survey's results are somewhat alarming.
The reasons given for accessing the messages are telling: For women, the survey results marked messages containing invites from social networks as the most alluring, while men were tempted messages with the time-tested suggestions of money, power, and sex. More often than not, the malicious messages claimed to be from banking institutions (15.9 percent), social media sites like Facebook or Twitter (15.2 percent), and online payment services, like PayPal (12.8 percent).
According to the stats form the Anti-Phishing Working Group (APWG), in their Q1 2013 report, there were more than 74,000 unique Phishing campaigns discovered during the reporting period, leveraging over 110,000 hijacked domains and targeting more than 1,100 brands.
Based on the data reported by the APWG and various security vendors, Phishing kits are rather inexpensive and the time to develop a workable campaign is rarely longer than a few hours. So the aforementioned numbers mean that the attack surface is large, and the pool of potential victims is rather full. Combine this with a reported 30 percent success rate, and the criminals behind these campaigns are more than likely pleased with their ROI.
Still, Halon's study is focused on the consumer, so how do these figures translate to the corporate world? The simple answer is directly, because users who open malicious attachments at home are often the ones who do so at the office too.
To be sure though, CSO contacted two experts on the topic of Social Engineering: Chris Hadnagy, the President and CEO of Social-Engineer, Inc.; and David Kennedy, the creator of the Social Engineer Toolkit and the founder of TrustedSec. We asked them a few questions about what they do and their opinions about the Halon study.
"It is important to remember that as an attacker, often, all I need is one person with a vulnerable browser or software or client and that can give me access to click. So from an attackers perspective, a 30 percent success rate is great number for broad attacks," explained Hadnagy.
Sign up for Computerworld eNewsletters.