As long as humans have access to email, phishing will work

The doctor will see you now.
The doctor will see you now.
Image: Reuters/Regis Duvignau
We may earn a commission from links on this page.

An email has arrived, and it’s just for you. What a moment. Someone has something to share. It’s an old friend, or a current colleague, or maybe your former dentist.

Dr. Scott has shared a document on Google Docs with you.

That’s unusual, but Dr. Scott is all about business, not one to share documents willy-nilly. It could be about flossing, and you consider just deleting it, but maybe it’s something more. Maybe it’s something you’ve been waiting for, and you just didn’t know you were waiting for it.

After you click the familiar button marked Open in Docs, and then perhaps click ALLOW on some vague dialogue box, you wait a moment. What do you have for me, Dr. Scott. What is the document you’ve sent, after all these years.

Hold on. Shit shit shit. Everyone kept telling you about the hackers. You knew about the hackers. Wait, is Dr. Scott the hackers? No, that doesn’t sound right. Dr. Scott is a no-nonsense dentist.

Generally, this is how it happens. It happens all the time. Last week, countless Gmail users across the internet received the same phishing email at the same time, inviting them to click a link to a Google Doc. All of the emails seemed to come from someone the recipients knew. When they clicked the link, then clicked again on a dialogue box asking them to allow access to “Google Docs,” their full contacts list was used to send the same phishing email to even more people. It’s not yet clear whether the attack also installed malware once the link was clicked.

Companies can lose troves of sensitive data as a result of our ceaseless need to know why our former dentists or current colleagues or old friends contacted us out of the blue. Stock prices can fall, and companies can end up spending millions to determine that the root cause of the ensuing chaos was that you’ve always wanted to be friends with your dentist, and your wishfulness got the best of you.

Someone clicking a link in an email can lead to their political party being hacked during a heated election, or to one of the largest breaches of credit card information in retail history. And one study shows that, even when warned about the perils of phishing multiple times, people will keep clicking those links.

The study was conducted in 2012 at Columbia University. Researchers sent 2,000 phishing emails to students, faculty, and staff at the school. Some contained offers for free Apple iPads, others came with PDF attachments, and some asked the recipients to provide their login credentials. The iPad promotion was the most successful, and in the first round of emails, 176 recipients opened the emails and clicked the links within.

Those 176 people were then warned that they’d fallen for a phishing attack, and told to not let it happen again. A few weeks later, the researchers sent another round of phishing emails to those same people, and 10 of them let it happen again. After another warning, and a third batch of phishing emails was sent out, three people fell for it again. It wasn’t until the fourth round that no one opened the emails.

There were similar results in Verizon’s 2017 data breach report, released last week. The report analyzed data breach incidents at 65 organizations and found that 7.3% of users who receive phishing emails fall for them, “whether via a link or an opened attachment,” the report says. It also found that “about 15% of all unique users who fell victim once also took the bait a second time.” And 3% of users clicked links in phishing emails on more than two occasions.

Organizations can spend millions on intrusion detections systems, and they can install patches to each new strain of malware as it’s discovered. But they’ll never be able to fully convince workers that Dr. Scott, in fact, has forgotten all about them, and doesn’t have any documents left to share.