The all new
CBS News App for Android® for iPad® for iPhone®
Fully redesigned. Featuring CBSN, 24/7 live news. Get the App

Study: People open email even if its suspicious


(MoneyWatch) IT and security experts have their work cut out for them. We already know that average users are far from diligent. In the past, I've told you about easily guessable passwords, for example, not to mention phishing attacks that rely on social componentsfor greater success rates. But sometimes it seems like the bad guys can win without even trying.

Case in point: A recent study of 1,000 users concluded that email is simply an attractive nuisance, like a water feature in your neighbor's yard. About a third of the participants said they'd open email even if they knew it to be suspicious. Indeed, about 10 percent of the participants admitted that they had already infected their computer by opening a malicious email attachment.

Email: It's just too tempting, apparently.

CIO reported on this study last week, coming from email security company TNS Global for Halon. These numbers are remarkable, and demonstrate that technology alone is not going to solve our malware and online security woes.

What kind of come-ons were the most tempting? For women, the survey suggested that invites from social networks were the most alluring, while men responded to messages about money, power, and sex.

Says Chris Hadnagy, the president and CEO of Social-Engineer, Inc:

"It is important to remember that as an attacker, often, all I need is one person with a vulnerable browser or software or client and that can give me access to click. So from an attacker's perspective, a 30 percent success rate is great number for broad attacks."'

So how do you protect yourself from these kinds of threats? It's mostly common sense, actually. Here are a few guidelines to keep your PC, your data, and your business safe:

Don't reply to email with personal info. Real financial institutions never ask you to reply to an email with your Social Security number, password or any other personal info. If an email asks for information like that, just delete it -- it's a phishing expedition.

Don't click a link in an email. Links in email are convenient, but they could take you to a phishing site desinged to capture your personal information. Always navigate to a web page yourself via your browser.

Use a unique password on every site. Don't use the same password on Facebook and your bank -- if Facebook is ever compromised, you've just given away the keys to your finances.

Use 2-factor authentication when you can. If your email service and financial institutions offer it, enable 2-factor authentication. This is a security process that requires you to enter a new, unique passcode every time you try to log into the site -- and that code comes from your phone.

Password protect your devices. It's a pain, but you should lock your phone, tablet and laptop with passwords or PINs. Don't use the same PIN for every device, and don't use an easy-to-guess PIN like 0000 or 1234.