The Danger of Sensationalizing Phishing Statistics

People are often curious about what percentage of users will fall for a phishing attack, and it’s tempting to try to create this kind of statistic. At PhishMe, we’ve found that trying to assign a blanket statistic is counterproductive – however this hasn’t stopped others in the industry from trying to do so. The most recent company to try is Intel Security (formerly McAfee), which declared that 97% of people globally were unable to correctly identify phishing emails. While this statistic certainly makes for a nice headline, it is broad-based and flawed in a number of ways.

The 97% statistic came from the results of an online quiz McAfee conducted. Over 19,000 people in 144 countries responded to the quiz, which presented respondents with 10 emails and asked them to identify which emails were phishing attempts. Since only 3% of respondents correctly identified all 10 emails correctly, the conclusion is that 97% of people can’t identify phishing attacks.

“Most people will detect phishing attacks by analyzing the context of the email, not the technical elements.”

Should this statistic raise an alarm for enterprises? Are people really that bad at identifying phishing emails?

Drawing a broad conclusion about phishing from a quiz of this nature is a dangerous thing to do because this quiz required respondents to identify phishing by analyzing technical elements such as the URL. While being able to identify URLs is important, most people will detect phishing attacks by analyzing the context of the email, not the technical elements. For example, many spear phishing emails will appear to come from a person, such as a co-worker, who is familiar to the recipient. However, these attacks often betray themselves by using language that the actual person would never use. For instance, if I ever received an email from Aaron, our CTO, that began with “Dear Rohyt,” I would immediately become suspicious because Aaron never begins an email that way. A quiz such as this one has no way to replicate this situation accurately for each individual respondent.

Aside from eliminating the personal element described above, the cultural element is absent from this quiz as well. Since phishing attacks often key on topics that are relevant to the recipient, an email that is effective against someone in the finance department might not be against someone in IT, one that’s effective in Norway might not be effective in the United States, and one that is effective when sent to a parent may not be effective against someone that doesn’t have children.

Furthermore, merely being able to distinguish legitimate URLs from illegitimate ones won’t necessarily prevent phishing attacks. We’ve often seen cases of attackers taking control of legitimate domains and hosting malware from them. In this case, the phishing URL will appear to be legitimate, so a person will need to analyze the context of the email to correctly identify it as phishing.

“When we evaluate the efficacy of a technical solution, we don’t expect it to detect 100% of all threats. Why do we evaluate humans this way?”

The 97% statistic is purely sensationalist. If a person correctly identified 8 or 9 out of the 10 emails, he/she is included in the 97% that “failed.” When we evaluate the efficacy of a technical solution, we don’t expect it to detect 100% of all threats. Why do we evaluate humans this way?

A person who can correctly identify a majority of phishing attacks is an asset to your security, not a liability, particularly if your organization has a program in place to gather user reports of suspicious emails. We have deployed PhishMe Reporter™ to over 1.5 million endpoints, and our customers regularly find that a statistically meaningful percentage of their employees accurately identify and report potential phishing emails when provided with such an easy way to do so. These employee-sourced reports provide the incident response (IR) team and security operations analysts with the information needed to rapidly respond to potential phishing attacks and mitigate the risk from those that may fall prey to them. PhishMe’s Triage further accelerates the IR process by automating the organization, analysis and response of these user reports.

Instead of focusing on the fact that people are still sometimes susceptible to phishing (is this news to anyone?), we should instead focus on capitalizing on the users that can become active human sensors and act like informants for the IR teams.

Yara CTF, Blackhat 2015
ZDNet: The myth of human weakness in security: How to turn staff into active network defenders