Websense, Inc. , provider of employee internet management solutions, today announced the results of its Phishing Trends study, which is part of the companyís annual Web@Work survey conducted by Harris Interactive.
According to the study, two-thirds (67%) of employees polled said that they had never heard of phishing. Similarly, 4% of employees surveyed admitted that they had ìfallen for a phishî and clicked through a link to a phishing website at work. Conversely, 82% of IT decision-makers surveyed stated that their employees have received phishing attacks via email or instant messaging (IM) with, 45% who have had employees receive a phishing attack, admitting their employees did click through the URL on the phishing attack.
This discrepancy might suggest that employees have a difficult time deciphering whether a website accessed via a link in an email or instant message is legitimate or ìspoofedî. Not surprisingly, half (50%) of the IT decision-makers surveyed do not believe that employees can accurately identify phishing sites. Other top findings include:
2005 Phishing Trends Survey Highlight:
PHISHING ATTACKSótwo-thirds (67%) of employees surveyed said that they had never heard of phishing, but only 4% admitted to ever ìfalling for a phishî at work. However, half (50%) of IT decision-makers surveyed believe that employees cannot accurately identify phishing sites with 82% of IT decision makers polled reporting their companies have received a phishing attack via email or IM, and 45% of those polled said that employees did click through the URL
PROTECTION AGAINST PHISHINGó 43% feel their company is only somewhat protected against phishing attacks, with 14% feeling not very, or not at all, protected.
SECURITY CONCERNSó32% of IT decision-makers surveyed believe that phishing attacks have caused security problems for their organisations in the past year. Spyware (65%), employee use of bandwidth-clogging applications, (42%), and use of unlicensed/unsanctioned software (39%), were also listed as security concerns.
WHAT COMPANIES BLOCKówhen asked if they block executables and/or HTML, 40% surveyed do not block executable programs transmitted through email, and only 14% said they block HTML within emails. Likewise, 53% said they do not block executables transmitted through IM, and only 24% indicated they block HTML within IM. 47% of IT decision-makers surveyed report that their companies block executables transmitted through the internet.
INTERNET SECURITY TRAININGó42% of IT decision-makers surveyed do not have either an internet security awareness program, or an internet security training program, or both. Larger companies tend to do more in terms of internet securityóof those IT decision makers surveyed, fully half (50%) of those who work for mid-sized companies (defined as companies with 100-500 employees) said they do not have any sort of security awareness or training program versus 36% of those who work for large companies (501-1,000 employees) and 29% of those who work for very large companies (1,001 or more employees).
ìPhishers are becoming more sophisticated in their deception techniques to lure employees to spoofed websites, as most employees cannot determine which is a valid site and which is a fake,î said Geoff Haggart, VP Websense EMEA. ìHowever, employees donít have to ëfall for the phishí and actually enter confidential information on a phishing website to be compromised. By simply clicking on a phishing URL, the site can install spyware, such as a malicious keylogger, on the employeeís computer which has the ability to capture data such as network passwords or social security numbers without their knowledge.î
ìAlthough the Websense survey shows that only four percent of employees admit to clicking on phishing URLs, this is actually a high number in the security community,î says Brian Burke, research manager for security products at IDC. ìIt only takes one employee to click on a phishing site and accidentally give out confidential corporate data, customer records, network passwords, or trade secrets, to jeopardize an entire organizationsí intellectual property.î
ìMost organisations already prevent attachments coming in through email; however, HTML within emails is frequently left unblockedóleaving employees vulnerable to attack from phishers hungry for confidential personal and company data,î said Haggart.
Websense Security Labs mines more than 50 million websites per day, searching for sites infected with malicious code, such as spyware and phishing sites. In fact, more than 13,000 infected sites were discovered in the first quarter of 2005 alone. Websense Security Labs researches todayís advanced internet threats and delivers timely product and information updates to the security community and Websense customers to support them in making their infrastructure more secure.
Nearly Half of IT Decision Makers Surveyed Say Employees Have Fallen for the Phish
Websenseís Phishing Trends Survey suggests phishing websites difficult to identify; many companies not well protected against phishing attack
