Story image

Too quick to click: New Zealanders falling for phishing emails

New insights from CCL reveal that a significant amount of New Zealanders are still falling for phishing email scams, due in part to impulsive email behaviour.

Every week, CCL’s security awareness service sends emails that look like phishing scams to thousands of employees working in organisations around New Zealand.

According to the company, the service is currently registering a phishing success rate of 20-30% among participating employees presented with their first phishing email.

CCL head of security, Tim Sewell, says analysis shows that while people in all job roles fell victim to phishing attacks, certain personality types, especially Type-A personalities often found working in sales and leadership roles, appear more inclined to click duplicitous links and attachments. However, he highlights that personality type isn’t the only factor to determine susceptibility.

Sewell says, “Personal workloads, stress, timing and context also influence the success rates of phishing attacks. For example, receiving a phishing email that looks like a courier company when you’re expecting to receive a parcel - bingo.”

Sewell says it is crucial to find solutions, such as education or multi-factor authentication (MFA), due to the fact that cyber criminals are becoming more prolific and sophisticated, launching scams from previously compromised email accounts and impersonating trusted providers, such as Microsoft Office 365, Amazon, Google, even the IRD and NZ Post.

He says, “More people are working in the cloud and using browser-based logins to access services. As this behaviour becomes routine, people tend to let their guard down, providing an easy in for fraudsters to steal user login credentials.”

A report published by cloud security firm Avanan shows one in every 99 emails is a phishing attack, using malicious links and attachments as the main vector.

Closer to home, CERT NZ figures show the number of malware reports from Kiwi organisations more than doubled to 43 in the three months ended 31 December.

Phishing campaigns containing malware and targeting business customers of some New Zealand banks contributed to the increase.

According to Sewell, education can reduce the amount of employees that click on phishing emails. He says CCL’s training and education programme has reduced phishing success rates to around 5%, with trained employees now regularly reporting phishing scams, thus becoming part of the solution.

Sewell says MFA can also reduce credential theft, which is one of the main objectives of phishing attacks, by requiring users to authenticate themselves to a website by another method in addition to the standard username and password login procedure.

However, according to Sewell, the additional cost of MFA and the inconvenience to users are barriers to adopt this solution.

He says, “That’s a big problem, because once the bad guys have captured a user’s credentials their behaviour goes largely unnoticed - because there isn’t anything to trigger a security alert.

“That gives the crims time to watch and learn, email customers with revised payment details, send out mocked-up invoices, gain the trust of contacts linked to the compromised email account, and reply to existing emails.”

Regular friendly phishing exercises, multi-factor authentication, and anti-phishing technology were essential steps in the current cybersecurity landscape - though tweaking existing policies in some cases was the fastest way to bolster defences, Sewell says.

“For example, financial policies should ensure requests to change payment details are authorised and properly validated, without relying on email. Don’t accept emails as authorisation of payment method. And if someone keeps taking the phishing bait, maybe they’re in the wrong job,” he says.