Google study: phishing attacks work 45% of the time

A new Google study into ‘manual hijacking’ – in which cyber criminals spend time and effort exploiting individual victims’ accounts, often having accessed them through phishing attacks – has come up with some troubling statistics about the effectiveness of phishing as a means of accessing personal information.

Successful phishing attacks rely on tricking users into handing over their personal details, usually by getting them to click on links to malicious websites that masquerade as legitimate.

The study found that phishing-driven fake websites work “a whopping 45% of the time” and, on average, visitors to fake pages submitted their data 14% of the time. More troubling still, 3% of people were deceived by the dodgy websites even when they were obviously fake.

Manual hijacking is relatively rare – with nine incidents per million users per day – but has severe consequences, often causing financial losses. Approximately 20% of hijacked accounts are accessed within half an hour of a hacker getting the log-in information.

Once they have access to your account, hackers will change the password “to delay account recovery in order to increase the chances of successful exploitation”, and then spend more than 20 minutes on average searching for other account details to exploit. They will then send phishing emails to everyone in your address book, hoping to repeat the process with your friends and your friends’ friends. People in the address book of hijacked accounts are 36 times more likely to be hijacked themselves – after all, you’re less likely to suspect an email from someone you know. It’s antisocial networking in action.

How can you avoid falling victim to a phishing attack?

First, remain vigilant. Check all links before following them, even if they seem to come from your friends. If in doubt, don’t click. (It’s also a courtesy to tell your friend that their account has been hacked – they might not know.) Be especially wary of emails asking for any account details, log-in information or personal data. If in doubt, visit the relevant website directly, not via a link, and check your account.

Second, be sure of your own security. If you suspect you’ve been hacked, change your passwords and report the incident to the website or service. Enable two-step verification on your accounts if possible and ensure you do not reuse your passwords.

Phishing in the workplace

Phishing attacks don’t just take over personal accounts. Hackers are also interested in exploitable corporate information. If you’re concerned about your employees’ susceptibility to a phishing attack, you might be interested in IT Governance’s Employee Phishing Vulnerability Assessment. It will identify potential vulnerabilities amongst your employees and provide recommendations to improve your security, enabling you to have a broad understanding of how you are at risk, and what you need to do to address these risks. IT Governance are currently offering a partial Employee Phishing Vulnerability Assessment to customers who purchase the Combined Infrastructure and Web Application Penetration Test – Level 1 in November.