One of my favorite episodes of Friends shows Chandler checking his email on Ross’s laptop. Suddenly, Chandler’s face goes blank and he begins pounding his fingers on random keys, muttering, “Oh no, oh no.” He admitted to opening an email from someone he didn’t know because it promised naked pictures of Anna Kournikova. If you are over the age of 20, you may remember that the Anna Kournikova virus, spread via an email encouraging the recipient to check out the pictures of the beautiful tennis star.
That episode aired a decade ago, but according to a new study by Halon, men are still falling for spam emails involving sex (and money). Women also open spam mail, but the survey found that they tend to focus on email that uses social networking and friendship as bait.
We all receive spam – well, the survey said that 94 percent of us have received at least one email that contained malware, spyware or a virus, and personally, I’d like to meet the 6 percent who have never received such an email to ask them how they’ve avoided it. What’s surprising is how many of us are still opening spam email based on the subject line. According to the survey, “Email Spam and Related User Behavior,” one in three of us will open an unsolicited email, even if it appears suspicious. Even worse, if the email has an attachment, one in 11 has opened it, infecting their computer (and in the workplace, that can mean infecting the network). Another 30 percent have come awfully close to clicking on that attachment, but realized in time that it was fake.
The results of this survey are important for at least two reasons. One, we know that spammers are always improving their techniques, making it more difficult for the average user to recognize the difference between spam and legitimate mail. Two, we also know that employee behavior is a top cybersecurity risk in the enterprise. The survey provides a reminder that employees are human beings and they will fall back to basic human behavior. We need better education on how to identify spam and the risks of opening a suspicious email. Or as Chris Caldwell stated in an IT Business Edge post:
The best way to manage human risk is to apply a two-pronged approach that seeks to proactively address weaknesses while leveraging standard resilience-oriented risk management practices. Businesses need to educate and train users about common threats, attacker tactics, and expected performance relative to following set policies and procedures, all in addition to deploying security tools and practices that will help the business detect and recover from various incidents.