Can Americans Catch a Phish? 1 in 4 Take the Bait

Next story

Phishing email scams attempt to lure people in by mimicking real emails from big companies so perpetrators can do things like install malware on your computer, access your bank account or even steal your identity. So how savvy are we when it comes to differentiating the real from the fake? To find out, we partnered with our friends at NBC’s TODAY show to create a quiz that tests your phishing email smarts.

So far, over 20,000 Americans have taken the quiz, developed from real emails that ESET security researchers collected and analyzed. First, if you haven’t already, take the quizyourself—then read on (no peeking!) to see how you compare. (Note: The quiz works best in Chrome, Firefox or Safari browsers.)


What do the results reveal?

Fully 25% of people cannot consistently identify phishing emails (they missed correctly identifying one or more phish or non-phish). The question most often answered incorrectly was this Target email—it was not a phish, but 61% thought it was.

However, cybercriminals often do spin up phishing schemes to take advantage of vulnerable people and brands in crisis, as happened after the Anthem hack in early 2015, so it’s good to remainvigilant.
The phishing emails that fooled people most often were the Amazon and FedEx emails. One in five people were taken in by this:

Upon scrutiny, you can discern several clues. Amazon’s logo appears squished, and there are several grammatical errors at the end—unlikely in a real email from the world’s biggest retailer.

With this FedEx email, 22% of people were tricked.

The tell? Asking you to download an attachment—especially if it does not seem to match the content in the email—is suspicious. Downloading an attachment like this can deliver malware to your computer, often without you even knowing you have been infected.

Here is the breakdown from each email question, so you can see how you compare:

  • Southwest: 89% correctly identified this as a phish
  • Amazon: 79% correctly identified this as a phish
  • Google: 53% correctly identified this as NOT a phish
  • Apple: 87% correctly identified this as NOT a phish
  • FedEx: 78% correctly identified this as a phish
  • PayPal: 96% correctly identified this as a phish
  • Gap: 68% correctly identified this as NOT a phish
  • Target: 39% correctly identified this as NOT a phish

So what does this all mean?

Here’s how our Senior Security Researcher Stephen Cobb sees it: “Our research indicates that phishing scams are still a major way that cybercriminals take advantage of people and businesses. It’s important for us to constantly educate the public, for businesses to educate employees, and for parents to educate kids… and kids to educate parents and grandparents!”

The data show that one in four people still get things wrong, and once is all it takes. “The basic lesson here is to always exercise caution and promote safe Internet practices,” Cobb says. “A good security software product like ESET will have anti-phishing tools built in, which is an important layer of protection. However, the first and last line of defense is still the user. So always think before you click. When in doubt, before you click, call or contact the company directly if something appears ‘fishy.’”

NBC 7 San Diego recently interviewed Stephen. See his advice for secure shopping this holiday season:

Get more tips to keep your family safe online here.