In a study conducted by TNS Global for Halon, an email security service, 30 percent of those surveyed admitted they would open an email, even if they were aware that it contained a virus or was otherwise suspicious.
The study included only 1000 adults within the U.S., so this isn't a national index by any means. But of those surveyed, one in 11 admitted to having infected their system after they opened a malicious email attachment. Given the fact that email is still an easy way for attackers to gain access to the network, often via social engineering (phishing/spear phishing), the survey's results are somewhat alarming.
The reasons given for accessing the messages are telling: For women, the survey results marked messages containing invitations from social networks as the most alluring, while men were tempted messages with the time-tested suggestions of money, power, and sex. More often than not, the malicious messages claimed to be from banking institutions (15.9 percent), social media sites like Facebook or Twitter (15.2 percent), and online payment services, like PayPal (12.8 percent).
According to the stats form the Anti-Phishing Working Group (APWG), in its 2013 First Quarter report, there were more than 74,000 unique phishing campaigns discovered during the reporting period, leveraging over 110,000 hijacked domains and targeting more than 1100 brands.
Based on the data reported by the APWG and various security vendors, Phishing kits are rather inexpensive and the time to develop a workable campaign is rarely longer than a few hours. So the numbers mean that the attack surface is large, and the pool of potential victims is rather full. Combine this with a reported 30 percent success rate, and the criminals behind these campaigns are more than likely pleased with their return on investment.
Phishing at work
Still, Halon's study is focused on the consumer, so how do these figures translate to the corporate world? The simple answer is directly, because users who open malicious attachments at home are often the ones who do so at the office too.
To be sure though, CSO contacted two experts on the topic of social engineering: Chris Hadnagy, the President and CEO of Social-Engineer, Inc.; and David Kennedy, the creator of the Social Engineer Toolkit and the founder of TrustedSec. We asked them a few questions about what they do and their opinions about the Halon study.
"It is important to remember that as an attacker, often, all I need is one person with a vulnerable browser or software or client and that can give me access to click. So from an attackers perspective, a 30 percent success rate is great number for broad attacks," Hadnagy said.
Sign up for Computerworld eNewsletters.