Between the number of people it impacts and all the amazing puns you can use to talk about it, phishing is one of the most infamous attack methods in cybersecurity.
And considering how prevalent it is, you would think email providers would be doing everything they can about the problem.
But as research from the University of Plymouth reveals, this is far from the case.
Suspicious, malicious, or sleeping with the phishes?
The study, out of Plymouth's Centre for Security, Communications and Network, wanted to determine the effectiveness of phishing filters from a variety of email providers.
According to EurekAlert, here's how they did it:
They sent two sets of messages to victim accounts, using email content obtained from archives of reported phishing attacks, with the first as plain text with links removed and the second having links retained and pointing to their original destination.
They then examined which mailbox it reached within email accounts as well as whether they were explicitly labelled in any way to denote them as suspicious or malicious.
And what did the data say?
In the significant majority of cases (75% without links and 64% with links) the potential phishing messages made it into inboxes and were not in any way labelled to highlight them as spam or suspicious. Moreover, only 6% of messages were explicitly labelled as malicious.
Yikes. Numbers like that make it extremely difficult for employees to avoid taking the bait.
Phishing: on the rise since '03
And despite how much cybersecurity has developed in the last 16 years, phishing has actually managed to steadily increase:
The number of phishing incidents has risen dramatically since they were first recorded in 2003. In fact, global software giant Kaspersky Lab reported that its anti-phishing system was triggered 482,465,211 times in 2018, almost double the number for 2017.
In 2019, 80% of businesses encountered these attacks.
Professor Steven Furnell, one of the academics in charge of the Plymouth research, expressed his concern:
"Given users' tendency to perform poorly at identifying malicious messages this is a worrying outcome. The results suggest an opportunity to improve phishing detection in general, but the technology as it stands cannot be relied upon to provide anything other than a small contribution in this context."