1 in 5 Fails Pre-informed Phishing Email Test

Posted
Home / Blog / IT security news / 1 in 5 Fails Pre-informed Phishing Email Test
1 in 5 Fails Pre-informed Phishing Email Test

Canada Revenue Agency (CRA) experienced a painful privacy breach in 2014 that leaked confidential details including home addresses of taxpayers and was forced to delay the tax-filing deadline. Its network was exposed to a security bug that allows unauthorized people to access a supposedly protected network system. Naturally, reassessing and strengthening of the security has been their priority.

The First Big Test
The agency’s security and internal-affairs division put 16,000 employees to the test by sending them a phishing e-mail similar to the most common tricks. Let’s keep in mind that they were informed ahead of time of this test taking place. About 22% still weren’t able to dodge the plot. That’s about 1 in 5 people that can jeopardize the rest. And all it takes is that 1 innocent click.
Here is an example of a phishing email we found from one of our clients last month.

Phishing includes messages that attempt to con you into revealing sensitive information by tricking you to click on a link for a website or open an attachment. Most of us are well aware of how it works and that it will compromise your personal information for identity theft or provide access to your money, or much worse, put your whole network system in danger by allowing malicious software to nest in.

But some phishing messages are just difficult to differentiate, using real-looking logos or personal information like your name or your company’s, and including links to connect to other devices such as fax or printer. The message may be from someone you know, such as a friend or colleague. Or the criminals can also set-up a fake email account with the name of an actual employee to make it even trickier.

Do you think you can outsmart Internet Scammers? Can you tell the difference between a fake and the real thing?

us_phishingiq_1_Q1
(Resource : Dell phishing IQ test)

The best defence against the phishing scam is, of course, to not fall for the scam! But how do we recognize phishing email messages or links?

  • Watch out for misspells and grammar mistakes in the message or the hyperlink.
  • Hover over the hyperlink before clicking on it to check on the URL. But watch out! This, too, can be faked.
  • Make sure to check on all of the links.
  • Watch out for poorly written instructions, especially the ones with some sense of urgency or threats.
  • When in doubt, make the call yourself to check the legitimacy.
  • Don’t let your curiosity fool you. Avoid anything you wouldn’t do in real life.
  • Make sure your system/network protection is up-to-date and utilize encryption.

Now let’s see how well you recognized the fraud.

  1. You may have been fooled as the email uses your name – “Jane Doe” here. Phishers are doing this more and more, so just having your name isn’t good enough anymore.
  2. The word “credit” is misspelled.
  3. PayPal does provide instructions such as this in their emails – but these are a poor imitation and not very helpful.
  4. This is most likely taking you to a fake webpage to capture your username and password – PayPal emails such as this normally do not include links to log in. If they do include links, they are cut-and-paste links you can copy to your browser.
  5. The website you are actually going to is: com-stz.info. Also, PayPal is misspelled: us.payapl.