Humans still the weakest link as phishing gets smarter and more focused

The latest figures from the Anti-Phishing Working Group (APWG) show a distinct decline in the numbers of phishing sites reported to it, and in the number of separate brands targeted.

A survey compiled by Verizon, on the other hand, implies that almost all incidents of cyber espionage reported in the last year included some phishing component.

An academic study into human susceptibility to phishing has found that 92% of people misclassify phishing emails, despite efforts to educate people about the dangers.

Put together, this seems to confirm a general feeling that phishing attacks are becoming less scatter-gun, focusing more on specific targets, with more care and attention put into making them more enticing, more believable and harder to spot.

The APWG quarterly report, covering the first three months of 2013 but only released earlier this week, found that phishing attack dropped 20% between January and March, with February figures the lowest since October 2011.

The number of brands targeted is also down on the previous quarter, although 2012 numbers were considered exceptionally high.

As the stats are based on phishing pages and incidents reported to the APWG by the public, it’s not clear if the drop in numbers is down to a real drop in actual attacks, or simply due to them becoming harder for people to spot, leading to fewer reports.

Ihab Shraim, CISO at news behemoth Thomson Reuters and quoted in the APWG report, talks about the trends in a way that supports both explanations:

These changes are likely due to a shift to more advanced and targeted techniques for credential theft including malware and stealthier spear phishing.

Phishing has been around for years now, with a fairly well-known set of targets, tricks and tell-tale signs, but we still see new techniques emerging, making the smarter scams harder for both machines and humans to detect.

Spear-phishing of highly focused targets has been the driving force behind a number of major compromises lately, from high-profile hacktivism like the recent Viber heist to more stealthy targeted penetrations.

Educating users to keep a wary eye out for phishing attempts has been a major focus for security admins and providers, but it seems like the bad guys are managing to keep ahead of the curve.

Academics at North Carolina State University have been looking into the characteristics of people who fall for phishes, combining personality studies with experiments using swathes of legitimate and phishing emails.

They found that confidence is high, with 89% thinking they can spot the dodgy messages, but 92% didn’t get it right every time, with 52% getting it wrong more than half the time and 54% having at least one false positive incident, trashing a real email in the belief that it was a scam.

They also found that people who thought of themselves as “less trusting, introverts, or less open to new experiences” threw out more genuine mails, while women were less adept than men at spotting phishing messages.

The researchers, whose work is part-funded by the beleaguered NSA, suggest that as the human mind is the main issue, education remains the most important weapon in the battle against the phishers.

The team is working towards a system of teaching which will effectively prepare people to avoid being tricked.

While technical countermeasures such as improvements in secure browsing will play a part, as will making sure the bad guys are brought to book wherever possible, it’s clear that the psychological battleground is vital.

Phishing has come a long way from the old days when simply keeping an eye out for dodgy grammar and sloppy spelling was enough. Education techniques clearly need to evolve to keep pace with the growing sophistication of phishing scams.

A major difficulty is the tendency to focus on specifics; any list of tell-tale signs is likely to date quickly, as techniques evolve and old mistakes are learnt from.

The main thing is to maintain a skeptical disposition. Social engineering relies on leveraging the most potent human emotions, its main weapons being sex, greed, fear and other basic urges. These can only be combated by logic, clear thinking and good sense.

So next time you see an unexpected message asking for your login info or other sensitive data, stop a moment. Take a few deep breaths, and have a good look around.

Ask yourself a few key questions: Am I sure I am where I think I am? How exactly did I get here? Do I really need to provide this info? What could possibly happen if this info got into the wrong hands? Am I being hurried into something I wouldn’t normally do?

You may find that simply stepping back and looking at things with a cool head will keep you from blundering into danger.