With Canada’s long-anticipated anti-spam law about to come into force, one might think that the Canadian government and bureaucracy would be well up to speed on all manner of email and cybersecurity issues.
However, it seems that employees at the Department of Justice Canada are for the most part fairly easy to trick with phishing scams.
According to information dug out by Canada’s National Post, an in-house awareness test run late last year managed to persuade 1,850 of the department’s 5,000 staff to click on scammy links, a fail rate not far short of 40%.
Phishing is at the more devious end of the unwanted email spectrum. A lot of spam, certainly the kind of stuff anti-spam laws take aim at, tends to be fairly obvious in its intent – here’s a product or service you might want, come to us to buy it. Not much different from less pushy marketing really, and usually fairly easy to spot.
Some of the sites may not be as legitimate as one would hope, with a higher than average chance that the site may rip you off (or worse, try to push some malware on you), and that’s the main reason we advise people not to follow such links – that, and the hope that if people stop responding, the spammers will give up and stop pestering us via our inboxes.
Then there are the straight up scams, dominated of course by the “Hello dearest one” advance fee fraud-type trick, which tries to persuade us we’re going to get rich thanks to some mysterious prince/oil baron/long lost relative in Nigeria.
These are a little more tricksy, by design, trying to appeal to our avarice but for the most part pretty easy to identify, and requiring quite some effort on the part of the victim to get to the point where you lose some cash.
Phishing combines the worst of both. Mails are often glossy and official-looking, ripping off styling and images from the real services they are trying to impersonate, using look-alike URLs and occasionally even managing to get their spelling and syntax reasonably correct.
Once you’ve bought into the hook of the phish, often a warning about an account expiring or breached to give you a sense of urgency, it’s very easy to follow the link and fill in your details, into a form which usually closely mirrors the real thing.
Then you’re done – the phisher has what they came for, and will quickly start taking advantage of the login data you’ve given them.
So it’s important to be able to pick these things out, and it seems like we’re still very bad at it. Study after study shows how vulnerable we are to social engineering tricks, despite years of effort to persuade us to keep an eye out for danger.
Education is important in this, and it seems to provide at least some added security. In the Justice Canada case, subsequent reruns of the test found considerable improvements, with the click-through rate falling by half.
This is not unexpected, as those hit the first time around will doubtless have had quite a shock at finding they’d been tricked, making them more wary in future.
But ideally we shouldn’t have to keep on demonstrating to people how easily they can be tricked. There is a strong case for improved education, in businesses and for home users too, and tests like this are a good part of that education process, as well as a way of tracking its success rate, but they should not be the whole of it.
There’s a burden on us all to wake up and start paying a little more attention to the world around us. Phishing is not a new problem, it’s been with us so long that a few years ago many in the security world began to think of it as a rather quaint and outmoded technique.
It’s enjoyed something of a renaissance of late, as the go-to penetration vector for breaching corporate networks, whether for financial gain or hacktivism, as repeatedly demonstrated by the Syrian Electronic Army.
So it’s something we should all be on the lookout for, exercising caution whenever we glance through an unexpected email.
Some of us, poor jaded paranoiacs, get a phishy feeling whenever something unanticipated arrives and fails to satisfy the requirements of accurate personalisation (and proper grammar).
It’s a bit of a shame that email can no longer be trusted, but it’s become a fact of life that we all need to absorb.
This especially applies to anyone trying to send official or important information via mail – if you have to use this vector, expect your recipients to treat you with distrust, and do everything you can to make your mails as unphishy as possible.
That means not including links to your login pages, as well as avoiding “calls to action” and other means of prodding people into doing something. Find better ways of getting your message across which doesn’t put people in danger.
From a user perspective, one simple step which can help is the use of a quality password manager. These should fill your details in for you when you visit a site you’ve set up a login for; when you land on a faked site, the manager should fail to recognise it and simply not fill in the password for you.
As you no longer need to know your passwords if they’re stored in a manager, you can’t be tricked into typing it in without an extra step of looking it up, giving you a bit more time to realise you could be making a mistake. Not totally foolproof, but every little helps.