bizEDGE New Zealand logo
Story image

Too quick to click: New Zealanders falling for phishing emails

New insights from CCL reveal that a significant amount of New Zealanders are still falling for phishing email scams, due in part to impulsive email behaviour.

Every week, CCL’s security awareness service sends emails that look like phishing scams to thousands of employees working in organisations around New Zealand.

According to the company, the service is currently registering a phishing success rate of 20-30% among participating employees presented with their first phishing email.

CCL head of security, Tim Sewell, says analysis shows that while people in all job roles fell victim to phishing attacks, certain personality types, especially Type-A personalities often found working in sales and leadership roles, appear more inclined to click duplicitous links and attachments. However, he highlights that personality type isn’t the only factor to determine susceptibility.

Sewell says, “Personal workloads, stress, timing and context also influence the success rates of phishing attacks. For example, receiving a phishing email that looks like a courier company when you’re expecting to receive a parcel - bingo.”

Sewell says it is crucial to find solutions, such as education or multi-factor authentication (MFA), due to the fact that cyber criminals are becoming more prolific and sophisticated, launching scams from previously compromised email accounts and impersonating trusted providers, such as Microsoft Office 365, Amazon, Google, even the IRD and NZ Post.

He says, “More people are working in the cloud and using browser-based logins to access services. As this behaviour becomes routine, people tend to let their guard down, providing an easy in for fraudsters to steal user login credentials.”

A report published by cloud security firm Avanan shows one in every 99 emails is a phishing attack, using malicious links and attachments as the main vector.

Closer to home, CERT NZ figures show the number of malware reports from Kiwi organisations more than doubled to 43 in the three months ended 31 December.

Phishing campaigns containing malware and targeting business customers of some New Zealand banks contributed to the increase.

According to Sewell, education can reduce the amount of employees that click on phishing emails. He says CCL’s training and education programme has reduced phishing success rates to around 5%, with trained employees now regularly reporting phishing scams, thus becoming part of the solution.

Sewell says MFA can also reduce credential theft, which is one of the main objectives of phishing attacks, by requiring users to authenticate themselves to a website by another method in addition to the standard username and password login procedure.

However, according to Sewell, the additional cost of MFA and the inconvenience to users are barriers to adopt this solution.

He says, “That’s a big problem, because once the bad guys have captured a user’s credentials their behaviour goes largely unnoticed - because there isn’t anything to trigger a security alert.

“That gives the crims time to watch and learn, email customers with revised payment details, send out mocked-up invoices, gain the trust of contacts linked to the compromised email account, and reply to existing emails.”

Regular friendly phishing exercises, multi-factor authentication, and anti-phishing technology were essential steps in the current cybersecurity landscape - though tweaking existing policies in some cases was the fastest way to bolster defences, Sewell says.

“For example, financial policies should ensure requests to change payment details are authorised and properly validated, without relying on email. Don’t accept emails as authorisation of payment method. And if someone keeps taking the phishing bait, maybe they’re in the wrong job,” he says.

Story image
Apple creates sweeping carbon removal fund
The US$200 million fund has set its goal to remove ’at least one million metric tons of carbon dioxide annually from the atmosphere’ — equivalent to the amount of fuel used by over 200,000 passenger vehicles.More
Story image
Microsoft Exchange breach a wake-up call to ditch the server
"There are owners who still have in-house exchange servers because they are suspicious of the cloud or have concerns about their data sovereignty or don't want to contemplate the capital expenditure. But the warning is clear. Get rid of them."More
Story image
COVID sees $900 billion spent in retail online
For retailers, restaurants and other businesses large and small, being able to sell online provided a much-needed lifeline as in-person consumer spending was disrupted.More
Story image
Weak 2020 buoys strong first quarter growth for PC shipments
Backlogs on orders from 2020, particularly for notebooks, were a key driver, though new demand is also a factor as smaller businesses begin their recoveries. More
Story image
Tribal Group wins NZ higher education SaaS contract
"It is a significant win for Tribal being the first customer in New Zealand to adopt our Student Marketing and Recruitment, Event Management and Alumni Management Solutions as well as the Student Engage App."More
Story image
Commerce Commission outlines competition issues regarding HP NZ's recent submission
In its statement, the Commerce Commission outlined key competition issues that the watchdog considers vital to the decision of whether to grant HP NZ’s proposed resale price maintenance arrangements.More