People are often curious about what percentage of users will fall for a phishing attack, and it’s tempting to try to create this kind of statistic. At PhishMe, we’ve found that trying to assign a blanket statistic is counterproductive – however this hasn’t stopped others in the industry from trying to do so. The most recent company to try is Intel Security (formerly McAfee), which declared that 97% of people globally were unable to correctly identify phishing emails. While this statistic certainly makes for a nice headline, it is broad-based and flawed in a number of ways.
When a hacked Twitter account spreads false news of an explosion at the White House and causes hysteria that spurs a 140 point drop in the stock market, it should encourage calls for Twitter to bolster its security measures, so it’s no surprise that many are clamoring for Twitter to offer 2-factor authentication. One problem with this – news outlets are reporting that hackers gained access to the AP’s account through a phishing attack. While 2-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful (nor will a more complex or longer password for that matter).
I read Aitel’s article right before leaving for BlackHat: “Why you shouldn’t train employees for security awareness”
Popcorn in hand, this should be a fun read. After all, we agree that traditional awareness methods don’t seem to be sticking.