Here is what an ideal phishing victim looks like

Wondering what makes someone a perfect target for cybercriminals? There seems to be a heavy discrepancy between those who are commonly targeted and those who fall victim to phishing, research finds.

To identify the most likely victims of phishing, the research team at Hicomply studied data from the UK’s Office for National Statistics and National Fraud Investigation Bureau from 2022.

Two of the most commonly targeted age groups are 35-44 year-olds and 25-34 year-olds (lagging just slightly behind). Overall, an ideal phishing target is a woman between 25-34 years of age, employed, renting or owning a home, and living in one of the least deprived areas of England.

However, a different type of people most commonly fell for phishing attacks. While 5% of 35-44 year-olds admitted to interacting with a phishing message, only 2% of 25-34 year-olds did so.

As a result, a typical victim of phishing was a woman between 35-44 years old, a social renter who lives in one of the most deprived areas of England.

Phishing target
By Hicomply

In turn, what kinds of phishing messages do targeted individuals get? 54% of survey respondents were contacted by a fraudster pretending to be from a delivery company, 32% from banks or other financial institutions, and 29% from e-commerce companies.

“You might be asked to click on something or give your details to avoid a negative consequence, such as missing an important delivery. As the UK cost of living crisis continues, we’re also more likely to see fraudsters posing as utility companies or other service providers. Money is a huge motivator so be careful and check the information in the message matches with the official information on a company’s website,” Zoe Grylls, customer success manager lead at Hicomply, warns.

Phishing: a wolf in sheep's clothing

A case of a recent phishing attack included an email containing a fake summons threatening arrest if the recipient didn’t appear in the US court. An individual was forced to click a link disguised as a “petition letter” to dispute the court’s verdict.

Big names like PayPal, Netflix, Amazon, DHL, and Google were all used to lure victims into clicking on malicious links or providing sensitive information about themselves.

To combat phishing, Grylls recommends investing in employee training to raise awareness about its dangers.

“For businesses, it’s important to invest in training. Run regular simulated phishing attacks, with targeted training if needed. Assess your organisational security awareness and use the results to decide on future training modules for your staff.”

Interestingly, research at ETH Zurich, in collaboration with a large company, found that “a rather large fraction of the entire employee base will be vulnerable to phishing when exposed to phishing emails for a sufficiently long time.” This means that in theory, cybersecurity training may have opposite effects, with one in three employees surveyed over 15 months clicking on at least one link or attachment in the simulated phishing emails.

“Surprisingly, we observe that both click and dangerous actions rates are higher for participants that received contextual training (i.e., participants who were forwarded to a training page) after falling for simulated phishes,” the academics say.

Although experts did not try to disprove the necessity of cyber awareness, they nonetheless noted that companies should proceed with caution.

“We call for caution in the deployment of methods like embedded phishing exercises and training, where the existing literature is less unanimous about their effectiveness, and our research discovers potential negative side effects.”