Companies and other organizations are even more vulnerable than individuals. One person needs only to worry about his or her own clicking, but each worker in an organization is a separate point of weakness. It’s a matter of simple math: If every worker has that same 1 percent chance of falling for a phishing scam, the combined risk to the company as a whole is much higher. In fact, companies with 70 or more employees have a greater than 50 percent chance that someone will be hoodwinked. Companies should look very critically at webmail providers who offer them worse security odds than they’d get from a coin toss.
As technologists, we have long since come to terms with the fact that some technology is just a bad idea, even if it looks exciting. Society needs to do the same. Security-conscious users must demand that their email providers offer a plain-text option. Unfortunately, such options are few and far between, but they are a key to stemming the webmail insecurity epidemic.
Mail providers that refuse to do so should be avoided, just like back alleys that are bad places to conduct business. Those online back alleys may look eye-pleasing, with ads, images and animations, but they are not safe.
The problem is that few people appreciate the dangers of email; their understanding of phishing tends to be centred around the garbage that gets caught by most SPAM filters, when they have any clue what phishing is in the first place. Further, it’s not enough to personally avoid the ‘back alleys’ of the Internet email crowd: you need to excise all email that is received by such providers. And that means the problem is one of herd protection and immunity, which is challenging at best to overcome. Who’s going to unilaterally ban email from all the major email providers in the world today?