Technology companies could be doing much more to protect against threats posed by phishing, researchers said.
However, users also need to make themselves more aware of the dangers to ensure potential scammers do not obtain access to personal or sensitive information, according to research by the University of Plymouth in the UK.
To make their point, academics from Plymouth’s Centre for Security, Communications and Network (CSCAN) Research assessed the effectiveness of phishing filters employed by various email service providers.
They sent two sets of messages to victim accounts, using email content obtained from archives of reported phishing attacks, with the first as plain text with links removed and the second having links retained and pointing to their original destination.
They then examined which mailbox it reached within email accounts as well as whether they were explicitly labelled in any way to denote them as suspicious or malicious.
In the significant majority of cases (75 percent without links and 64 percent with links), the potential phishing messages made it into inboxes and were not in any way labelled to highlight them as spam or suspicious. Moreover, only 6 percent of messages were explicitly labelled as malicious.
“The poor performance of most providers implies they either do not employ filtering based on language content, or that it is inadequate to protect users,” said Professor Steven Furnell, leader of CSCAN. “Given users’ tendency to perform poorly at identifying malicious messages this is a worrying outcome. The results suggest an opportunity to improve phishing detection in general, but the technology as it stands cannot be relied upon to provide anything other than a small contribution in this context.”
The number of phishing incidents has risen dramatically since they were first recorded in 2003. In fact, global software provider Kaspersky reported its anti-phishing system was triggered 482,465,211 times in 2018, almost double the number for 2017.
It is also a significant problem for businesses, with 80 percent telling the Cyber Security Breaches Survey 2019 they have encountered “fraudulent emails or being directed to fraudulent websites.” That places phishing ahead of malware and ransomware.
Phishing is designed to trick victims into divulging sensitive information, such as identity and financial-related data, and the threat can actually take several forms:
• Bulk-phishing – where the approach is not specially targeted or tailored toward the recipient
• Spear-phishing – where the message is targeted at specific individuals or companies and tailored accordingly
• Clone-phishing – where scammers take a legitimate email containing an attachment or link, and replace it with a malicious version
• Whaling – in these cases the phishing is specifically targeted toward high value or senior individuals.
“Phishing has now been a problem for over a decade and a half,” said Furnell. “Unfortunately, just like malware, it’s proven to be the cyber security equivalent of an unwanted genie that we can’t put back in the bottle. Despite many efforts to educate users and provide safeguards, people are still falling victim. Our study shows the technology can identify things that we would ideally want users to be able to spot for themselves – but while there is a net, it clearly has big holes.”