3 in 10 workers worldwide have clicked a phishing link in the past year. In the US, it’s 1 in 3.
With the massive increase in remote work due to COVID-19, there has also been an explosion in cybercriminal activity like phishing. Not only is phishing still prevalent, but it continues to be on the rise. In fact, more than 1 in 4 Americans has received a phishing email related to the pandemic.
Why are people still clicking?
For our new report, COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, we surveyed 7,000 office workers in the United States, United Kingdom, Australia/New Zealand, Germany, France, Italy and Japan on their understanding of phishing, their email and click habits, and how their online lives have changed since the beginning of the COVID-19 pandemic. We then worked with Dr. Prashanth Rajivan, assistant professor at the University of Washington and expert in human behavior and cybersecurity, to get his take on why phishing still works.
According to Dr. Rajivan, what we need to consider is that human beings aren’t necessarily good at dealing with uncertainty, which is part of why cybercriminals capitalize on upheaval (such as a global pandemic) to launch attacks.
“People aren’t great at handling uncertainty. Even those of us who know we shouldn’t click on emails from unknown senders may feel uncertain and click anyway. That’s because we’ve likely all clicked these kinds of emails in the past and gotten a positive reward. The probability of long-term risk vs. short-term reward, coupled with uncertainty, is a recipe for poor decision-making, or, in this case, clicking what you shouldn’t.” – Prashanth Rajivan, Ph.D.
Additionally, the report suggests that many of us are overconfident when it comes to cybersecurity. Nearly all respondents worldwide (95%) recognize that phishing remains a problem, but 76% admit to opening emails from unknown senders, with over half (59%) blaming it on the fact that phishing emails look more realistic than ever before. The survey also revealed an opportunity for more security awareness education. Just 59% of people believe they know what to do to keep their data safe, with nearly one third (29%) admitting they’ve clicked on a phishing scam in the last year and one in five (19%) confirming receipt of a phishing scam related to COVID-19.
- United States 44% of respondents are more concerned about phishing attempts this year, but 1 in 3 admit they have clicked a phishing link in the last year. 8% of those didn’t report it.
- United Kingdom UK respondents have the highest level of confidence in their ability to keep themselves and their data safe from cyberattacks. 1 in 4 have clicked a phishing link in the last year.
- Australia/New Zealand1 in 5 AU/NZ respondents reported having received phishing emails specifically related to COVID-19. But only 1 in 3 respondents are more concerned about phishing now than they were at the beginning of the year.
- Germany 79% of German respondents say they open emails from unknown senders. Of those, 13% said they do so all the time, while 15% said they do so only rarely.
- France A full 55% of French respondents admitted to clicking a phishing link in past year, even though 8 in 10 say they take steps to determine if messages are malicious when checking email.
- Italy Of Italians who clicked on a phishing link, 23% did not report it. While many recognize the cyber risks COVID-19 has brought, they aren’t really worried about them.
- Japan Japanese respondents were the least likely to fall for a phishing scam, with only 16% of people having clicked a phishing link in the last year. They were also the least confident about their cyber-safety knowledge.
We all need to do better.
Dr. Rajivan says there are a lot of things we could do to improve. First, he says that, “if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”
Additionally, he encourages us all to subscribe to cybersecurity-related content, such as podcasts, social feeds, security-related blogs (and this community!) so that knowledge about the latest threats and how to avoid them stays top-of-mind.
For more details, statistics, and concrete tips on how businesses and individuals can stay safe from phishing and other threats, I encourage you to check out the full report, as well as the other resources we’ve put together.
- Get the COVID-19 Clicks report
- Read the Press Release
- Check out the COVID-19 Clicks infographic
- [blog] How has COVID-19 Affected our Click Habits?
- [blog] Unexpected Side Effects: How COVID-19 Affected our Click Habits
- Q&A with a Human Behavior and Technology Expert
- [blog] False Confidence is the Opposite of Cyber Resilience
- [blog] Overconfident, Under-Prepared and Not Cyber Resilient