Phishing, To Most American Workers, Is Just A Misspelled Word - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Phishing, To Most American Workers, Is Just A Misspelled Word

Only one-third of American workers surveyed say they've heard of phishing, with a mere 4% confessing they've clicked through to a phishing Web site. But 45% of their bosses contend workers do click through after receiving phishing E-mail.

American workers seem clueless about the dangers of phishing. But their bosses show signs of anxiety over the E-mail scam.

Forty-five percent of IT decision-makers surveyed by Websense Inc. say their employees have clicked through a link to a phishing Web site at work. Only 4% of employees surveyed by the employee Internet-management-systems provider fessed up that they clicked through to a phishing site, a counterfeit destination that mimics a real site and aims to steal confidential information.

This discrepancy might suggest that employees have a difficult time deciphering whether a Web site accessed via a link in an E-mail or instant message is legitimate or spoofed--a fraudulent Web site that appears to be authentic, said Dan Hubbard, senior director of security and technology research and head of Websense Security Labs, in a statement accompanying the report, which was issued this week.

"Phishers are becoming more sophisticated in their deception techniques to lure employees to spoofed Web sites, as most employees cannot determine which is a valid site and which is a fake," Hubbard said. "Employees don't have to fall for the phish and actually enter confidential information on a phishing Web site to be compromised. By simply clicking on a phishing URL, the site can install spyware, such as a malicious keylogger, on the employee's computer, which has the ability to capture data such as network passwords or Social Security numbers without their knowledge."

It takes just one employee to click on a phishing site to unintentionally give out confidential business data, customer records, network passwords, or trade secrets, jeopardizing an entire company's intellectual property, says Brian Burke, research manager for security products at IT researcher IDC.

According to the Websense survey, conducted in February and March by pollster Harris Interactive, one-third of employees polled say they've heard of phishing. But 82% of IT decision-makers surveyed say their employees have received phishing attacks.

Though a relatively new phenomenon, phishing is seen by one-third of IT decision-makers as an important security problem. Most of these IT managers don't believe their companies are well protected from Internet security threats. Forty-three percent say their companies are only somewhat protected.

Six in 10 IT decision-makers say their companies block attachments transmitted by E-mail; 14% block HTML within E-mail. Nearly half say they block attachments transmitted by IM; one-quarter block HTML within IM. "HTML within E-mails is frequently left unblocked--leaving employees vulnerable to attack from phishers hungry for confidential personal and company data," Hubbard said.

How do surveyed IT managers educate themselves on phishing prevention? Forty-four percent turn to online media and 35% rely on security vendors.

Phishing, though a concern to IT decision-makers, isn't their biggest security anxiety. Two-thirds of IT managers picked spyware as the vulnerability causing security problems for their companies, followed by employee use of streaming media (42%), employee use of unlicensed or unsanctioned software (39%), and phishing attacks (32%).

Most companies do offer some form of Internet security training; 58% of IT decision-makers say their companies offer either an Internet security-awareness program, an Internet security-training program, or both. Smaller companies do less Internet security training than larger ones. Half of the respondents from companies of between 100 and 500 workers don't have any type of security-awareness or -training program, compared with 36% of companies with payrolls of 501 to 1,000, and 29% among organizations with 1,001 or more workers.

For the phishing trends report, part of Websense's annual [email protected] survey, Harris Interactive between Feb. 21 and 28 conducted online interviews with 354 American IT decision-makers who work for organizations with at least 100 employees. From Feb. 28 to March 21, Harris Interactive conducted telephone surveys of 500 American workers who have on-the-job Internet access and work for organizations with at least 100 employees.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll