Phishing, To Most American Workers, Is Just A Misspelled Word - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure

Phishing, To Most American Workers, Is Just A Misspelled Word

Only one-third of American workers surveyed say they've heard of phishing, with a mere 4% confessing they've clicked through to a phishing Web site. But 45% of their bosses contend workers do click through after receiving phishing E-mail.

American workers seem clueless about the dangers of phishing. But their bosses show signs of anxiety over the E-mail scam.

Forty-five percent of IT decision-makers surveyed by Websense Inc. say their employees have clicked through a link to a phishing Web site at work. Only 4% of employees surveyed by the employee Internet-management-systems provider fessed up that they clicked through to a phishing site, a counterfeit destination that mimics a real site and aims to steal confidential information.

This discrepancy might suggest that employees have a difficult time deciphering whether a Web site accessed via a link in an E-mail or instant message is legitimate or spoofed--a fraudulent Web site that appears to be authentic, said Dan Hubbard, senior director of security and technology research and head of Websense Security Labs, in a statement accompanying the report, which was issued this week.

"Phishers are becoming more sophisticated in their deception techniques to lure employees to spoofed Web sites, as most employees cannot determine which is a valid site and which is a fake," Hubbard said. "Employees don't have to fall for the phish and actually enter confidential information on a phishing Web site to be compromised. By simply clicking on a phishing URL, the site can install spyware, such as a malicious keylogger, on the employee's computer, which has the ability to capture data such as network passwords or Social Security numbers without their knowledge."

It takes just one employee to click on a phishing site to unintentionally give out confidential business data, customer records, network passwords, or trade secrets, jeopardizing an entire company's intellectual property, says Brian Burke, research manager for security products at IT researcher IDC.

According to the Websense survey, conducted in February and March by pollster Harris Interactive, one-third of employees polled say they've heard of phishing. But 82% of IT decision-makers surveyed say their employees have received phishing attacks.

Though a relatively new phenomenon, phishing is seen by one-third of IT decision-makers as an important security problem. Most of these IT managers don't believe their companies are well protected from Internet security threats. Forty-three percent say their companies are only somewhat protected.

Six in 10 IT decision-makers say their companies block attachments transmitted by E-mail; 14% block HTML within E-mail. Nearly half say they block attachments transmitted by IM; one-quarter block HTML within IM. "HTML within E-mails is frequently left unblocked--leaving employees vulnerable to attack from phishers hungry for confidential personal and company data," Hubbard said.

How do surveyed IT managers educate themselves on phishing prevention? Forty-four percent turn to online media and 35% rely on security vendors.

Phishing, though a concern to IT decision-makers, isn't their biggest security anxiety. Two-thirds of IT managers picked spyware as the vulnerability causing security problems for their companies, followed by employee use of streaming media (42%), employee use of unlicensed or unsanctioned software (39%), and phishing attacks (32%).

Most companies do offer some form of Internet security training; 58% of IT decision-makers say their companies offer either an Internet security-awareness program, an Internet security-training program, or both. Smaller companies do less Internet security training than larger ones. Half of the respondents from companies of between 100 and 500 workers don't have any type of security-awareness or -training program, compared with 36% of companies with payrolls of 501 to 1,000, and 29% among organizations with 1,001 or more workers.

For the phishing trends report, part of Websense's annual [email protected] survey, Harris Interactive between Feb. 21 and 28 conducted online interviews with 354 American IT decision-makers who work for organizations with at least 100 employees. From Feb. 28 to March 21, Harris Interactive conducted telephone surveys of 500 American workers who have on-the-job Internet access and work for organizations with at least 100 employees.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Gartner Forecast Sees 7.3% Shrinkage in IT Spending for 2020
Joao-Pierre S. Ruth, Senior Writer,  7/15/2020
Slideshows
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
Commentary
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll