Google Research published this report on their findings (PDF)
about phishing websites. One of their findings is that as many as 45% of visitors give up personal identifiable information (PII) when they arrive at a phishing site. The less successful sites captures data from around 3% of the visitors only.
Another important factor the research show is that most accounts are being exploited within 30 minutes from the information was given up to the phishing site. This show just how quickly the crooks are moving, and how fast we must change passwords if we suspect that we gave up information on a phishing site. It is also a strong case for two-factor authentication systems.
From a security culture perspective, implementing a training strategy where users who suspect they have been given up information to a fraudulent site, get trained on what to do after the fact, makes sense. Some actions to take may include:
- Create a workflow to report and handle phishing attempts
- Train end-users in the workflow
- Build a positive experience for the end user when they report an incident
You can use the Security Culture Framework to organize the workflow and training aspects.
Kai Roer
Recognitions (Selection)
* Ron Knode Service Award by the Cloud Security Alliance
* NCI Fellow at the National Cybersecurity Institute in Washington DC
* JCI ITF #132
* Amazon Bestselling Author
Author/editor of the success books:
* Build a Security Culture, IT-Governance 2015
* Protecting our Future (Chapter: Cybersecurity in International Perspective), Hudson Whitman 2013
* The Cloud Security Rules (Editor, author), The Roer Group 2012
* The Leaders Workbook, The Roer Group 2010
Latest posts by Kai Roer (see all)
- Volunteer position: Webmaster - July 11, 2017
- Security Culture Person of the Year Award 2017 goes to… - June 29, 2017
- Interview with Wolfgang Goerlich on Security Culture - February 8, 2016