Spearphishing Quiz Quickly Demonstrates Danger

Risk Management: A Look Back at 2013 and Ahead to 2014

When McAfee presented a 10-question quiz on identifying legitimate vs. phishing email messages at this year’s RSA Conference, the firm found that the average accuracy rate for quiz takers was a “C.” It was just another reminder of how difficult fending off spearphishing efforts in the enterprise can be, for both IT and end users. And that’s exactly why phishers keep using the strategy. All they have to do is study their target’s legitimate communications, make their copies, and start distributing them to their selected recipients.

Go ahead and take the test. How did you do? While I did get a score of 90, marking one spearphishing mail as legitimate, I learned quite a bit from McAfee’s explanations of how I could examine that mail more effectively. In this case, it was a mail displayed on a mobile device, and the advice to long-press URLs to display them and check that they are legitimate, for example, will come in handy.

Dave Bull, director, Product Marketing at McAfee, a part of Intel Security, explained in an email message:

“Employees around the world, no matter what industry, are subjected to phishing attacks on a regular basis. The increase in sophistication and targeting of these attacks makes them extremely difficult to detect. We want to help businesses and their employees improve their skill in detecting phishing attacks, which is why we created this quiz. We’ve also built technology that is proven to detect the most advanced malware used in targeted phishing. Through both education and technology, we can build a stronger defense against the most effective entry point for cyber criminals today.”

Giving end users a quick exercise, such as this quiz, to open communication about how to identify phishing attempts, encourages more questions and, one hopes, fewer risks of breaches. McAfee also provides this list of seven tips to avoid being phished (click through for more detail on each):

1. Keep your email, web, and endpoint security up to date.
2. Even trusted email senders can be compromised.
3. Colleagues may innocently send infected links or files to download.
4. Just because an email looks good doesn’t mean it’s legitimate.
5. While some email addresses are obviously from a phony third-party site, it’s easy for sophisticated scammers to make an email address look similar to a legitimate domain.
6. Like email addresses, creating fairly convincing URLs is easy for sophisticated scammers.
7. Your safest choice is to always stay in the driver’s seat by finding content yourself.

You can also refer to this IT Business Edge five-step phishing ID checklist, which goes into detail on how to tell where phishers are getting some of their information.