Phishing Awareness Survey Results
Users unaware of Phishing Threats
to S e c u r IT y,
our free E-newsletter on Information
Technology, Security, and their intersection with Business.
Awareness Survey Results
Criminals often attempt to spoof bank, auction, and other trusted websites,
requesting personal information from users via emails and other electronic
communications such as Instant Messages. These communications are known as
phishing, and phishing has reached epidemic proportions. Many users receive
phishing emails weekly or even daily. Some of these are extremely
sophisticated and very believable. Personal data captured is used for
identity theft, credit card fraud, and other crimes.
I surveyed 110 people in the USA between August 15 and September 30 on their
awareness of phishing threats. Anyone known to work in IT was specifically
excluded. Those surveyed included lawyers, secretaries, plumbers, telephone
repairmen, telemarketers, doctors, and other people I encountered walking
down the street – essentially a wide array of people.
Less than 48 percent of Internet users have heard of phishing, and only 30
percent have any idea of what it is. Less than four percent of Internet
users have changed their online habits due to phishing threats. These are
appallingly low percentages since most Internet users have been subjected to
phishing attacks! Full results at
It’s not surprising that there is such a wave of phishing attacks today. It
must be quite profitable for criminals since most Internet users are
Some Participant's Comments:
· “You mean I should worry about these?” -yes, you should
· “Changed my habits? – hell no!”
· “You mean the band ‘Phish?’”
· “My credit cards are maxed out so it doesn’t matter.” -yes, it does!
· “I have several phishing attacks weekly.”
· “Phishing? That’s a stupid name.” -yes, but a real threat
· “I don’t even open email unless I know the sender.”
· “I read about them last week but don’t remember.”
· “I just got one this morning.”
Often it is easier to attempt to modify human behavior than to directly
attack computer systems. For example, it is usually far simpler to trick a
user into divulging personal information than to break into a secure server
than contains this data. These types of attacks are known as social
engineering. Wikipedia defines social engineering as "the practice of
obtaining confidential information by manipulation of legitimate users."
Often social engineering is effective because of the natural tendency of
people to want to be helpful, for example the help desk worker who receives
a desperate call from an alleged user who has lost their password.
Combating social engineering involves user awareness. Many organizations
have user awareness programs aimed at increasing security awareness.
Unfortunately user awareness must be an ongoing process. User awareness is
like exercise - its results are short lived unless it is part of a regular
routine. Users forget very quickly!
In addition to user awareness, a set of formal rules for user behavior,
designed to protect the organization AND users, is necessary. These are
typically part of an organization's Security Policy. When a help desk user
is confronted by an angry person on the telephone at 5PM on Friday claiming
to be an executive vice president and demanding their "forgotten" password
be reset because an extremely large contract is at risk, and threatening the
help desk worker with disciplinary action if they do not comply, what are
they supposed to do? Quite simply, follow the Security Policy rules that
pertain to forgotten passwords.
The Internet is still fairly new to most people. Most people are not as
aware of Internet risks as real life risks. An individual usually has
healthy skepticism when a stranger approaches them on the street with a
request, and quickly determines whether to honor that request. As users gain
more experience, they will naturally develop a sense of what is suspicious
and potentially dangerous on the Internet, just as in real life.
I sometimes compare the Internet and safety to driving a car and safety. A
relatively new driver, say someone who has been only driving a few months or
years, statistically has more accidents than a driver with many years of
experience. As the length and depth of experience of the average Internet
user increases, so will their ability to “surf safely,” and they will
develop a “gut feeling” for what is legitimate as well as suspect.
Ted Demopoulos, Consultant and Professional Speaker, 603-231-8782 (cell)
This newsletter is Copyright © 2005 by Demopoulos Associates, Durham, New
Hampshire, USA. All rights are reserved, except that it may be freely
redistributed if unmodified.
Sharing securITy is encouraged if the copyright and
attribution are included.
The free newsletter of Demopoulos Associates,