by Amy Loeffler, Virginia Tech News
In this age of cyberattacks and data breaches, most email users are on the lookout for, and understand the potential risks of, messages and attachments coming from unfamiliar sources. However, that vigilance alone might not be enough to keep you protected, according to new research from Virginia Tech that examines the growing sophistication of phishing attacks.
Along with savvier writing, now enterprising hackers can spoof the email address of a trusted friend, co-worker, or business and send forged emails to victims. With the right amount of social engineering, it’s easy to obtain crucial and sensitive information from an unsuspecting recipient with a simple request.
New research from the College of Engineering at Virginia Polytechnic Institute and State University (Virginia Tech) examines the increasing sophistication of phishing attacks. The team conducted end-to-end spoofing experiments on popular email providers by establishing user accounts under the target email services as the email receiver, then using an experimental server to send forged emails, with a fake sender address, to the receiver account.
In tests of 35 popular email services, the researchers found that email providers tend to favor email delivery over security; just six email services displayed security indicators on forged emails, while four email services consistently displayed security indicators on mobile email apps.
The clickthrough rate for people who received the email with a security indicator was 17.9%, compared to 26.1% without a security cue. The study recommends that email providers adopt SMTP extensions to authenticate emails and implement security indicators. Misleading elements, such as “profile photos” and email “history,” should be disabled on suspicious emails, the researchers say. Read the report…it may save you a lot of trouble!