Report
Phishing Deceives the
Masses: Lessons Learned
from a Global Assessment
Report
Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Phishing Preys on the Uninformed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Introducing the McAfee Phishing Quiz. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Recommendations for Security Practitioners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Phishing Deceives the Masses: Lessons Learned from a Global Assessment
2
Report
Executive Summary
Organizations worldwide succumb to a constant barrage of cyberinfiltration attempts. The actors
behind these efforts want information—personal, financial, or even intellectual property—and have
shown no signs of slowing down. Our research shows that social engineering is the most effective
way to exploit employees. Most commonly, through phishing emails that deliver malware, or simply
lead an unsuspecting user to divulge information.
Part of the solution is to educate every connected worker on the tactics used in phishing attacks, so
they are better prepared when a phishing email makes it to their inbox. Using an online quiz, we’re
bringing attention to these tactics and are attempting to raise the skill level of anyone who takes
it. With over 50,000 respondents to date, we are able to both grasp the overall performance level
of employees around the world when it comes to detecting phishing emails—and help give them a
more astute view of the potential threats in their inbox.
Several trends have emerged from this assessment. First—the vast majority of us will miss at least
one phishing email, especially if it looks like it is coming from a legitimate and known email address.
Unfortunately, we’re not all equal. Finance and HR departments around the world performed worse
on this assessment than their counterparts, especially those in IT and R&D who were consistently
top performers. In this report, we’ll look at what caused respondents to struggle, and what can be
done to prevent future attacks from occurring with a combination of education and technology.
Phishing Deceives the Masses: Lessons Learned from a Global Assessment
3
Report
Phishing Preys on the Uninformed
Phishing attacks exploit what is often the weakest link in cyberdefense—human behavior.
Bypassing our best judgment can be as simple as creating urgency with a fake bank notice, or
as complex as assuming the persona of a known business partner—all in an effort to steal
information. Numerous high-profile breaches such as the theft of credit card data from Target
and the compromise of multiple celebrities’ Apple iCloud accounts are purported to be the result
of targeted spear phishing.
Effectively, it has become easier for the bad guys to know their targets, where they work, what they
are interested in, and more. All forms of digital media have accelerated this capability, especially
social media. We base our decisions on trust: Did the email come from a party or organization I
know and currently do business with? Does it contain an element of personalization that makes it
appear legitimate? That is often enough to ensure a click. Take a look at some of the top brands
used in phishing attacks these days, identified by McAfee® Labs.
■■
PayPal
■■
Amazon
■■
eBay
■■
Bank Of America
■■
HSBC
Would you click a link in an email that appears to come from one of these companies?
Through research conducted by McAfee Labs, we have seen email phishing enable the vast majority
of successful attacks in the wild. Verizon found similar evidence in their investigations this year:
“80% of all espionage-motivated attacks used either a link or attachment in a phishing
email to gain access to their victim’s environment”1
On the front lines, there are often unsuspecting employees just trying to navigate the constant
flow of email entering their inboxes. Phishing attacks have moved from the classic “Nigerian 419”
scams of the past, to targeted spear phishing messages that look no different on the surface
than any other shipment notification, bank statement, or business solicitation you may receive
from a legitimate party. Technology can only solve part of the problem. Key to defending against
sophisticated phishing attacks is employee education and the level of awareness they have about
potential threats in their inboxes. Only education can raise awareness around recognizing malicious
emails—but many organizations lack the tools and resources to roll out an effective educational
program to their employees.
Phishing Deceives the Masses: Lessons Learned from a Global Assessment
4
Report
Introducing the McAfee Phishing Quiz
In an effort to build awareness around phishing and the tactics used to deceive victims of phishing
attacks, McAfee—now a part of Intel® Security—developed an online phishing quiz in mid-2014.
This quiz presents 10 real emails in replicated inboxes, asking respondents to determine whether
each message is legitimate, or a phishing attempt.
At the time of this report, over 50,000 business users in 49 countries have completed the quiz. The
ability to detect fraudulent email, as demonstrated by the results of this assessment, varies by
country and even more dramatically, by department of employment. Key statistics from the quiz
findings include:
■■
Only 6% of respondents worldwide were able to identify all emails as phishing or legit.
■■
80% of all respondents fell for at least one phishing email.
■■
The average score around the world came in at a mediocre 65% correctly identified emails.
■■
IT and R&D teams performed the best—both at a 69% detection accuracy.
■■
HR and Finance departments performed the worst—both with a 60% detection accuracy.
■■
■■
EMEA proved to be the most skilled, at an average of 67% correct. Both NA and LTAM
averaged 66% as well.
APAC respondents were the least skilled, with an average score of 61% correctly
identified emails.
An overview of these findings can also be viewed in this infographic.
Lessons Learned
While the results of this assessment are telling, it is enlightening to look deeper at where respondents
fell short in their ability to detect the legitimacy of a message. Figure 1 below shows the frequency each
question was answered incorrectly. Several messages were notoriously more difficult than the others.
In this section, we’ll explore why these emails were more difficult to identify, and what that means for
strengthening business defenses against attacks which use similar (and numerous other) tactics.
Individual Question Failure Rate
70%
63%
62%
60%
49%
50%
% Incorrect
43%
42%
40%
27%
30%
21%
20%
13%
10%
8%
7%
0%
Email 1
Email 2
Email 3
Email 4
Email 5
Email 6
Email 7
Email 8
Email 9 Email 10
Blue = Legitimate email
Red = Phishing email
Figure 1. Overall failure rate for individual questions in the McAfee Phishing Quiz.
Phishing Deceives the Masses: Lessons Learned from a Global Assessment
5
Report
Looking at the full range of questions, we see a mix of both accurate identification and overwhelming
misidentification of emails by respondents overall. Notably, two emails which both used forged email
addresses were the most difficult to detect as phishing (Emails 4 and 8, above). We’ll dive deeper into
those in the analysis below. Not exempt from misidentification were several legitimate emails, which
highlight the difficulty in identifying the true nature of any email, whether legitimate or malicious, when
sitting in an inbox. Let’s dive into the most missed questions to uncover the source of difficulty.
Email 1 of 10: LinkedIn (missed by 63% of respondents)
In a strange twist of fate, the single most-missed email was actually legitimate. This marketing
message from LinkedIn asks the recipient to take action and “claim their free ads.” Claiming a free
prize is a tactic many are familiar with in phishing or spam campaigns, which is likely the reason
behind this email’s misidentification as a phishing email. Despite its harmless nature, the high rate
of failure on this question further highlights the issue at hand—it is extremely difficult to detect the
legitimacy of an email message in today’s technology landscape. Ambiguous messages like this only
cloud the judgment of end-users, as a fake message could easily follow the same template and lead
to a malicious payload. We also recognize an inherent bias in the data regarding this question, as
respondents were aware of the intention of the quiz as a phishing assessment, and were presented
with this question first.
Phishing Deceives the Masses: Lessons Learned from a Global Assessment
6
Report
Email 4 of 10: eFax (missed by 49% of respondents)
No excuses here. This email is simply well-crafted and proved very difficult to detect any malicious
intent. Business users may be familiar with the online service eFax, and even if they haven’t received
a digital fax in their own professional lives, it is easy enough to place yourself in the shoes of
someone who might. The relatively accurate branding and convincing layout in this email would fool
most people at first glance. Savvier users might look to the sender email address for validation that
the email originates from a known party—and that it matches the brand in the body of the email.
Unfortunately this wouldn’t help here, as the email address has been “spoofed” or forged to appear
as if it came from the actual eFax domain.
In many cases, using your cursor to hover over links in an email body would reveal the true
destination of a URL, and give evidence of malicious activity if it does not match up with a known
domain, or is random enough to raise suspicion. The malicious actors here however chose a fairly
safe sounding domain “www.oegroup.com” with minimal additions to the URL strings behind each
link. While this doesn’t line up with eFax perfectly, it is close enough to be mistaken in a quick glance,
which is all most employees give an email link—if they even check the destination URL at all.
So what can we learn from the high failure rate here? Reinforcing safe practices such as hovering over
URLs (long-press on mobile devices) may be enough for some to avoid being tricked. All it takes is
one employee clicking a link, however, to give the sender a chance to deliver their malware payload
hidden in URL content. Instructing end users to never click on links in email is going to be a futile effort
for most. Web security technology which scans HTML content for both known and zero-day malware,
even from email links on mobile devices (which are often excluded from proxy-based scanning), is the
most comprehensive resolution here. More on technology in the final section of this report.
Phishing Deceives the Masses: Lessons Learned from a Global Assessment
7
Report
Email 5 of 10: Venmo (missed by 43% of respondents)
Here we see a case of what is likely a high level of suspicion towards a new application, Venmo, and
minimal evidence to base a decision of legitimacy. With a proverbial flood of new online services
and mobile applications coming to market, most technology users receive sign-up confirmation
emails like this on a fairly regular basis. Cybercriminals are aware of this trend, and use similar shortformat emails to trick recipients into clicking malicious links. In this case, the message was legitimate,
displaying the Venmo domain in both the sender email address and destination URL of the link.
Educating users to long-press links within email on mobile devices can help avoid any unintentional
web access, but in this case, they would have been safe.
Phishing Deceives the Masses: Lessons Learned from a Global Assessment
8
Report
Email 8 of 10: UPS (missed by 62% of respondents)
Most people have received a tracking email from UPS at some point in their life. The universal
recognition of this brand and familiarity with package tracking play a large role in the high failure
rate for this question—and also for those that fell for this phishing attack when it made the rounds
on real business networks.
The methods of disguise here were common but effective. First, the sender address was spoofed to
appear as if it originated from the UPS.com domain. Several UPS branding elements were part of the
message, including the official logo. Most interesting was the use of only one malicious URL in the
entire email. The first URL directed the recipient to track the shipment—and actually sent you to the
UPS package-tracking website. The second URL prompted a download of the “invoice,” and it indeed
opened a file—but not one in the UPS domain. That link delivered the payload: malware wrapped in
a .zip file.
Phishing emails like this are notoriously difficult to stop before they enter a business network, and
even more difficult to prevent action at the user level. A common takeaway in this report—hovering
over links to reveal their true destination—may raise enough suspicion for an end user. But this
attacker clearly knew better. What are the chances an employee would hover over not just the first
link, but the second as well? Probably not very high. Taking into account the legitimacy of the first
URL brings a level of trust strong enough to warrant clicking on the second without thinking twice.
Even more worrisome is that this phishing email would have made it past most email filters, and
some web-based malware detection, as the .zip file contained zero-day malware. While end-user
education could divert the attack from a percentage of recipients—advanced malware detection
technology for web traffic would have been needed to interrogate the .zip file download and uncover
its zero-day payload.
Phishing Deceives the Masses: Lessons Learned from a Global Assessment
9
Report
Recommendations for Security Practitioners
Phishing is still heavily in use, and carries with it a high level of efficacy—leading the charge for
most attacks we see in the wild. It is not an easy problem to address, requiring both technology and
behavioral filters. To give readers a sense of our best practices, we offer a short checklist to help
guide security initiatives.
Activity
Key Technologies
Eliminate mass phishing campaigns.
Secure email gateway with sender IP, URL, file, and network
reputations, antivirus (AV), and real-time block lists.
ü
Reduce risk of cybercriminals being mistaken
for trusted parties.
Secure email gateway with identity verification including
Sender Policy Framework (SPF), Domain Keys Identified Mail
(DKIM), Domain-Based Message Authentication, Reporting, and
Conformance (DMARC).
ü
Detect and eliminate malicious attachments.
Secure email gateway combined with advanced malware
protection for file reputation, AV, content emulation, sandboxing,
and static code analysis.
ü
Scan URLs in email when received, and again
when clicked.
Secure email gateway with URL reputation, AV, content
emulation, sandboxing, and static code analysis.
ü
Scan web traffic for malware when phishing
leads the user on a multiclick journey to
infection.
Secure web gateway combined with advanced malware
protection for URL reputation, AV, content emulation,
sandboxing, and static code analysis.
ü
Stop exfiltration in the event of a breach or
user input.
Data loss prevention for endpoints, email traffic, and web traffic.
ü
Educate users on best practices in detecting
and acting upon suspicious emails.
Follow this link for a list of recommended tips for end users.
ü
Interested in assessing the phishing detection capability of your own organization? Run the McAfee
Phishing Quiz internally at no cost. Follow these simple steps:
1. Add a unique identifier of your choice (red) to
a. https://phishingquiz.mcafee.com/home/OrganizationName.
b. Test this URL in your browser to ensure it displays the quiz start page.
2. Send this URL to your employees, instructing them to take the quiz.
3. When employees have completed the quiz, contact [email protected] for
your results.
For more information, visit www.mcafee.com/emailsecurity.
1. http://www.verizonenterprise.com/DBIR/2014/
McAfee. Part of Intel Security.
2821 Mission College Boulevard
Santa Clara, CA 95054
888 847 8766
www.intelsecurity.com
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered
trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property
of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are
provided without warranty of any kind, express or implied. Copyright © 2015 McAfee, Inc. 61996rpt_phishing-quiz-retrospective_0615