Employees Fall for the Phish

By | May 18, 2005

IT decision-makers who work for organizations with at least 100 employees were surveyed on phishing and IT security in the workplace. The survey revealed that employees fallen for the phish in nearly half of the businesses and the majority of businesses are not protected from phishing attacks.

The Phishing Trends Survey, conducted by WebSense, shows that 33 percent of employees said that they have heard of phishing, 4 percent of employees admitted that they had fallen for a phish, 82 percent of IT decision-makers stated that their workers have received phishing attacks via email or instant messaging, 45 percent of IT decision-makers who had employees receive a phishing attack said that their employees did click through the URL because it was hard to identify phishing sites.

The survey highlighted the difficulty in deciphering whether a website accessed via a link in an email is legitimate or a fraudulent web-site. Not surprisingly, half of the IT decision-makers surveyed do not believe that employees can accurately identify phishing sites.

“Phishers are becoming more sophisticated in their deception techniques to lure employees to spoofed websites, as most employees cannot determine which is a valid site and which is a fake,” said Dan Hubbard, senior director of security and technology research, and head of Websense Security Labs, at Websense, Inc.

The survey has emphasized the security threat of phishing attacks – 32 percent of IT decision-makers reported that phishing attacks have caused security problems for their business and the majority of IT decision-makers do not feel their company is well protected from internet security threats.

“Although the Websense survey shows that only four percent of employees admit to clicking on phishing URLs, this is actually a high number in the security community,” says Brian Burke, research manager for security products at IDC.

“It only takes one employee to click on a phishing site and accidentally give out confidential corporate data, customer records, network passwords, or trade secrets, to jeopardize an entire organizations’ intellectual property.”

Leave a Reply