Sophos Cloud Optix
Pfft! Phishing – so old-school.
Well, sorry to say, but it’s not yet time to feel smug about being able to successfully spot a phishing scam.
In fact, a new study from Google and the University of California, San Diego, finds that there are some phishing sites that are so convincing, they work on an eye-popping 45% of visitors.
Granted, those sites are the true masterpieces of phishing. But Google says that, taken together, all fake sites on average convinced people to submit their information 14% of the time.
Even the most glaringly fake sites still managed to deceive 3% of people, the researchers found.
3% might not sound like a worrisome number, but it’s got more weight than appearances would lead you to believe, given that an attacker who takes over gullible people’s accounts can use them to not only bilk the initial victim, but also to shake out contact lists for additional new scamming victims.
As Google says, even the most obviously fake scammers can send out millions of messages, so small success rates are nothing to sneeze at.
The researchers found that once phishers managed to get access to login details, they don’t waste time getting into the account and milking it for all it’s worth. Google says that about 20% of hijacked accounts are accessed within 30 minutes of the information having been handed over.
Once they’re in, hijackers spend more than 20 minutes inside, often changing the password to lock out the true owner, searching for other details such as information about bank accounts or social media accounts, and scamming new victims.
Posing as the account holder, they send phishing emails to everyone in that person’s address book.
Those emails, sent to family and friends, can be very effective, Google says, given that the email looks like it’s coming from the account holder.
In fact, people in the contact list of hijacked accounts are 36 times more likely to be hijacked themselves, research found.
Google’s found that scammers learn fast, quickly changing their tactics to adapt to new security measures.
Elie Bursztein, Anti-Abuse Research Lead, said that one example is when Google started asking people to answer questions, such as “which city do you login from most often?” when logging in from a suspicious location or device.
Account hijackers were on that “almost immediately”, Bursztein said, and quickly started phishing for the answers.
The Google study is just one of many that look at how successful phishing still is, in spite of it being an old-hat scamming technique.
For example, in the spring, a study came out from a mixed group of computer scientists and psychologists at the University of Alabama at Birmingham, finding that despite a significant increase in brain activity related to problem solving and decision making when spotting fake sites, we’re still pretty bad at it, averaging just a 60% accuracy rate.
Old dogs, new tricks
One thing that’s good to keep in mind is that while many of us think of phishing as old school, scammers are still working at new methods to trip us up. One such, spotted by Sophos Labs last year, involved a PayPal login page that was being spammed as an HTML attachment (nothing new there).
But as Principal Virus Researcher Fraser Howard explained, in this case the HTML forms within the page all referenced legitimate PayPal servers.
How was the attacker harvesting phished info? Closer inspection revealed a cunning method of ex-filtrating the user data.
To keep from falling into the ever-evolving, sticky-as-ever traps set for us, Google recommends these precautions:
- Stay vigilant: Regardless of how many spam and phishing emails get blocked by the email provider, we should all still be wary of messages asking for login information or other personal data. Resist the urge to reply, and instead report the messages to your email provider. If in doubt, visit websites directly (not through a link in an email) to review or update account information.
- Get your account back fast: If your account is ever at risk, it’s important that your email provider has a way to get in touch with you and confirm your ownership. Google strongly recommends providing a backup phone number or a secondary email address (but make sure that the backup email account uses a strong password and is kept up to date so it’s not released due to inactivity, such as was happening when Yahoo decided to give away dormant accounts last year).
- 2-step verification: Many email providers now provide free 2-step verification service – sometimes known as two-factor authentication – to provide an extra layer of security against all types of account hijacking. In addition to a password, you’ll often be required to use your phone to prove you’re really you. Google also recently added an option to log in with a physical USB device..
We have guides to setting up two-step verification on Gmail, Yahoo Mail and Outlook.com, as well as a general guide to securing your webmail.
Paul Ducklin has written several articles on the anatomy of a phish that dissect common phishing scams to help you spot them in their various guises.
Image of hook courtesy of Shutterstock. Phishing stats image taken from Google’s infographic depicting the results of the study.
A problem is that Apple mail does not allow 2 step verification with Gmail, which it freely admits.
If you use mail client apps which don’t directly support 2fa, you can still enable it but will need to generate a one-off special code for your mail app, in this case Apple Mail, which you then use in place of your usual password (see the App passwords” section of the Google account security settings).
Admittedly this is not as good as using a fresh code each time, but it makes it much harder for phishers – they’d have to trick you into generating and handing over an app-specific code for them to use (as the one you already have set up should be tied to the specific device you set it up on).
Slow but sure. Just discovered this. Thank you!!
It’s the PICNIC virus again…
Problem In Chair Not In Computer.