Royce Curtin, head of intelligence at Barclays Bank, recently emphasised some interesting statistics: 90% of cyberattacks begin with someone clicking on an email. It’s impossible to fix cybersecurity without fixing this aspect first.
To quote his Curtin, people are the weak link. The referenced statistics were first presented in Trend Micro’s white paper entitled Spear-Phishing Email: Most Favored APT Attack Bait. Spear-phishing, in particular, is aimed at high-ranking targets who otherwise wouldn’t find the time to open generic phishing messages, thus makes it significantly more likely for the target to open the message, even if that target does have a clue about cybersecurity.
Fear and urgency are two of the most successful emotional triggers when it comes to falling victim to phishing. In particular, employees fear losing their jobs, and urgency has a lot to do with being driven by deadlines.
The University of Otago analysed the details behind the spear-phishing attacks in 2013, and found that spear-phishing victims were primarily using mobile devices when they fell for the attack. These devices didn’t display the email in full, and the occurrence usually happened outside regular business hours, either early in the morning when they were starting their routine, or late at night when they were tired.
Another stated reason for clicking on bad email links was curiosity. A total of 78% of participants in a research study conducted by Friedrich-Alexander-Universität confessed that even though they fully understood the risks, they could not resist clicking the link anyway.