Many cyber attacks begin with phishing emails directed at an organization’s employees. According to a new report, those scams can often fool even those who should know better.
In a recent study, researchers from the Polytechnic Institute of New York University sent a mock phishing to 100 science and engineering students.
After the students completed a personality test and a survey about their computing habits, the researchers used their email addresses to send a phishing email to try and trick the subjects into clicking on a link that promised a chance at winning a big raffle prize. To enter, the students had to fill out a form with their personal information.
The message was made to look as much like a real-life phishing email as possible, complete with spelling mistakes and grammatical errors.
Despite those clues, 17% of the students still fell for the scam, according to the researchers’ report. The majority of those subjects were women, and most of them were classified as “neurotic” according to the personality test.
More training needed
As the researchers have pointed out, the sample size is small and it’s difficult to draw any conclusions about who in your company is most likely to fall for a phishing scam.
One result from the study that should be more interesting for IT managers: The students’ level of knowledge regarding computers and IT security didn’t seem to affect how likely they were to fall for the scam.
The bottom line: All of a company’s users might be fooled by an attack and put data at risk. IT can’t assume that there’s any group that’s immune to these attacks, and it’s important to train all users regardless of how much technology or business experience they have.
In fact, those with the most experience — such as high-ranking executives — are often the biggest targets for phishing attacks.
IT might often let those people off the hook for training, but it’s important that they’re given as much attention as everyone else.