Redwood City, Calif. – December 18, 2019 - Avast (LSE:AVST), a global leader in digital security products, conducted a survey asking respondents to identify the login screen they would trust. Respondents were shown two seemingly identical screenshots of Amazon’s login page. One screenshot was taken from a phishing version of the site, while the other showed the actual Amazon login page. Sixty-one percent of Americans thought the screenshot of the phishing version was the real site.

The research also asked consumers if they had ever fallen victim to a phishing attack, with nearly a quarter (24%) saying they had, and 22% admitting they weren’t sure, perhaps highlighting a lack of understanding on what phishing looks like and how to spot the signs of an attack. The survey also asked those who had fallen victim to identify the type of attack they experienced. Email phishing was the top answer (59%), followed by a phishing website (45%). Telephone phishing, often referred to as a ‘call center scam’ was experienced by more than a quarter (29%), and 26% said they had fallen victim to ‘smishing’, SMS phishing.

“Phishing continues to be one of the leading attack methods because it allows cybercriminals to target people at scale, using social engineering, which is a tactic used to trick people into carrying out certain actions. Cybercriminals use social engineering to take advantage of typical human behavior, as it is easier to trick a person than to hack into a system. In November 2019, we blocked nearly 3 million phishing attempts targeting more than 590,000 of our American users,” said Michal Salat, Director of Threat Intelligence at Avast. “Phishing can come in many forms, including over the phone, via messages such as SMS, and even in person. However, the most common form of phishing is online, via phishing links. Phishing links leading to malicious websites can be delivered in emails that appear to come from legitimate sources. They can also be attached to messages sent on social networking sites and apps, like Facebook and WhatsApp, and they can even misleadingly appear in search engine results.”

Avast expects cybercriminals to use more sophisticated methods of spreading malware by emails in the upcoming year. Cybercriminals can scan victims’ email inboxes, and reply to emails and include malicious attachments, and thus infect further users. Similarly, there have been cases of malware creating stealthy filters on email servers to steal new incoming messages, to either spy on victims, or to add a malicious payload to the email to then send back into the conversation. There is an entire cybercrime business focused on stealing and reselling SMTP (Simple Mail Transfer Protocol) credentials, which are the same credentials used to log into an email account. SMTP is used by email clients to send emails, and using stolen SMTP credentials, cybercriminals can send malicious emails appearing to be from specific people.

To avoid falling victim of phishing attacks, Avast recommends following the steps below:

1. 1. Install a strong antivirus

Users should keep devices and applications up-to-date at all times, and install a strong antivirus with an anti-phishing feature to prevent breaches of personal information, such as passwords and credit card numbers. Antivirus acts as a safety net, protecting online users, and Avast uses AI to detect phishing threats quicker.

2. Carefully check emails

Users should always be cautious, even if emails appear to be sent by family, friends, or colleagues. Avast advises users review emails for unusual grammar errors, checking if the writing style is dissimilar to previous messages from the “same” sender, or if there is an overdramatic sense of urgency in the message. These characteristics may indicate that the message is malicious. Many phishing emails include malicious attachments appearing to be important documents, and links to malicious sites that look like the real deal, and are hard to recognize as fake. These fake sites can request the user to log in to an account, or enter sensitive information, like payment details. Users should therefore always enter URLs directly into the browser and avoid clicking attachments. Instead, users should contact the entities that the emails appear to be from through a separate channel to ensure the message and attachment was sent by them. 

3. HTTPS not so secure anymore

Users should not solely rely on the green HTTPS padlock in the browser URL bar. While this signifies that the connection is encrypted, the site could still be fake. Avast data shows that half of phishing sites are encrypted to further deceive users, so it’s important users double check that the site they are visiting is the real deal.

Notes to Editors:
*The survey, carried out by Toluna on behalf of Avast in November 2019, surveyed 985 respondents in the USA