Resources & Publications

29 September 2014

To Combat Phishing – Deal with the Human Factor

Despite much efforts to educate them, phishing, which is a cyber-criminal masquerading as a legitimate party to extract confidential information, is one of the pitfalls that unsuspecting computer users continue to get trapped by . Such attacks may extract very sensitive information such as passwords and credit card numbers.

The latest figures released by the Anti-Phishing Working Group (APWG) show a marked decline in the number of phishing sites reported to it and in the number of brands targeted. Though this seems to indicate a favorable picture, it is disturbing that a survey conducted by Verizon indicated that during the last year almost all reported incidents of cyber crime included some phishing component. Furthermore an academic study has found that 92% of people are unable to always identify phishing e-mails, showing that efforts to educate them have so far been ineffective.

As shown by the APWG quarterly report for Jan- March 2013 phishing attacks dropped 20% between January and March with February recording the lowest since October 2011. The figures are shown in the table below.

Month Number
January 46,066
February 35,024
March 36,983


There has also been a reduction in the number of brands targeted since the previous quarter, but this has to be seen in the context that 2012 numbers were considered exceptionally high.

However, it is debatable whether the drop in numbers is due to an actual reduction in phishing attacks or whether there simply have been fewer reports due to their becoming harder to spot; the statistics naturally being based on the number of cases reported. Ihab Shraim who is quoted in the APWG report has this comment to make.

These changes are likely due to a shift to more advanced and targeted techniques for credential theft including malware and stealthier spear phishing.

Criminals have been conducting phishing attacks for many years using familiar targets and tools the signs of which can be spotted easily. The indications are that they are getting smarter and using techniques which are harder to detect for both machines and humans. Spear phishing, which is a more sophisticated attack than simple phishing, is one of them. Spear phishing attacks are targeted at specific companies and conducted not by random hackers but always by perpetrators whose objective is financial gain, stealing trade secrets or accessing military information. Phishing messages purport to come from a reputed company or web site; spear phishing messages often appear to be from a senior person in the same company. While system administrators have been doing their best to educate users on the dangers of phishing, criminals always seem to keep ahead of them.

A study has been done at North Carolina State University to try to identify the characteristics of people who are taken in by phishing e-mails with experiments using both legitimate and phishing e-mails. The study found a high degree of confidence (89%) among the subjects that they could spot phishing e-mails. However only 8% spotted all the phishing e-mails and 52% made errors more than half the time. Further, 54% falsely identified a genuine e-mail as a scam. It was also found that people who considered themselves as “less trusting, introverts or less open to new experiences” had a greater tendency to falsely consider genuine e-mails as malevolent. It was also found that women are taken in by fake messages more often than men. The researchers consider that as the human factor is the main issue, education is the prime need. They are working on producing a tutorial that will teach people about phishing.

While technical developments such as more secure browsing are important the psychological factor is the most crucial. Education that focuses on specifics is likely to be ineffective, since with the criminals getting smarter all the time it tends to get outdated. What users should learn is to cultivate an attitude of skepticism. Logic, clear thinking and good sense should be made to prevail over other basic human emotions such as greed and fear. Whenever you are asked for any sensitive information you should pause and ask yourself some simple but very vital questions.

Am I sure the source is genuine? Have I been brought to this point in a legitimate way? Why does this information need to be provided? What could be the damage if the source is fraudulent? Am I being tricked into taking a risk I would not normally take? Simply stepping back and taking calm, analytical look at the situation may save you from becoming the victim of a cyber-crime.