This is kind of weird. Obvious phishing attack ploys still work and US users naively open them but phishing attacks are at a low not seen for over a year ... are things getting better or worse?
A report from the APWG (a "global industry, law enforcement, and government coalition focused on unifying the global response to electronic crime") titled the Q1 2013 Phishing Activity Trends Report:
... Statistics indicate that phishing levels are returning to the levels seen prior to the record-setting highs of 2012. ... Phishing attack numbers dropped from Q4 2012 to Q1 2013, from 46,066 in January to 36,983 in March. The number of unique phishing reports submitted to APWG each month also saw a massive decrease during the quarter, dropping 31 percent from January to March. January's total of 28,850 was 29 percent lower than the all-time high of 40,621 reports, recorded in August 2009.
That's great, it's getting safer on the Intertubes ... but then I read that Halon, an IT security and infrastructure company, announced the results of its U.S. survey 'Email Spam and Related User Behavior' which discovered (the emphasis is mine):
... that 94.7 percent of Americans received at least one email containing a virus, spyware, or malware. About one in eleven (8.8%) opened the attachment and infected their computer. Almost a third (30.2%) came dangerously close to doing the same, opening the email but stopping short of opening the attachment. These spam emails bogusly claim to come most often from banking institutions (15.9%), social media sites like Facebook or Twitter (15.2%), and online payment services (12.8%).
The survey concludes:
One in three Americans admit they would open an unsolicited email-even if it seems suspicious-depending on its subject line. For women, spam email messages containing invites from social networks are alluring, while men are tempted to open ones with the time-tested suggestions of money, power, and sex. Specifically, the survey found that women are more likely to open emails from social-media related accounts (8.2% to 5.6%), but that men are nearly three times as likely to open unsolicited bulk emails that promise monetary rewards (9.4% to 3.8%) and far likelier to open emails professing to include naked photos of celebrities (2.8% to 0.6%), themselves (2.3% to 0.9%) or friends (1.1% to 0%).
I don't think that the likelihood of Americans opening phishing spam has been measured before but I'm surprised to find that we're apparently so gullible ... or should that be we're so careless?
As always, the implications for corporations are most interesting. Less phishing spam implies a lower rate of users being exposed to risky messages but fewer phishing spam messages could make it easier for it to slip past security defenses. So, some level of phishing spam (probably roughly the same as usual) will be making it through the corporate envelope and users are easily attracted by the same old lures that were working great for phishers since the problem began. It's one step forward and one step back.