Which phishing email is likeliest to fool you?

Updated: 

Passwords stolen from LinkedIn

Unsuspecting computer users are twice as likely to fall for phishing attacks if they're disguised as messages to connect on LinkedIn.

According to research from security company Proofpoint, it's the most effective way for cyber-attackers to fool people at work into downloading malicious links. Users are, apparently, eight times more likely to click on a fraudulent LinkedIn invitation than on other fake social network emails.


The research explains just why such fake LinkedIn invitations have now become such a popular method for scammers - indeed, 'Invitation to connect on LinkedIn' was the top subject line in phishing emails last year.

LinkedIn says it does all it can to protect users. "LinkedIn digitally signs all emails we send, which allows email providers to identify our legitimate emails and throw away the phishing and/or spam emails," the company says in a statement.

But, it warns, "While most major email providers such as Google, Yahoo, Microsoft, and AOL adhere to DMARC standards, there are still a number that have yet to implement it."

On average, says Proofpoint, one in ten employees receiving a malicious link will click on it, with staff twice as likely as executives to do so. Even the best organisations find that employees are clicking on malicious links more than one percent of the time.

"Someone always clicks, which means that threats will reach users," comments Kevin Epstein, Proofpoint's vice president of advanced security and governance.

It can be very difficult for people to spot fraudulent emails, particularly when they come in such a familiar and easy-to-mimic form. Hovering with the mouse over the 'Accept' button may reveal whether or not the link really points to LinkedIn; but few people are looking that closely, and in any case scammers have learned to disguise their links.

Security expert Graham Cluley suggests visiting the site directly each time a request is received, to make sure it's really genuine: real invitations will appear in the Messages section. However, he acknowledges that it's easy to forget - which is why good security software is vital.

"In my view it's unrealistic to expect the average computer user to distinguish between genuine and bogus emails when they are professionally crafted," he writes on his blog.

"Although education can help protect your employees from malicious targeted attacks, it has to be combined with technology to lower the chances of a successful breach."