Fake phishing 'quizzes' help companies beat online intruders

High-profile hacks have put companies on the defensive as they try to prevent themselves becoming the next Sony Pictures or Anthem. And data shows phishing emails are increasingly being used as entry points for hackers. Unwittingly clicking on a link in a scam email could unleash malware into a network, or provide other forms of access to cyberthieves.

So a growing number of companies, including Twitter, are giving their workers a pop quiz, testing security awareness by sending spoof phishing emails to see who bites.

"New employees fall for it all the time," says Josh Aberant, postmaster at Twitter, in a data privacy town hall meeting recently in New York.

Falling for the fake scam offers a lesson that businesses hope will ensure employees won't succumb to a real threat. Companies like Wombat Security and PhishMe offer the service for a fee.

Phishing is very effective, according to Verizon's 2014 data breach investigations report, one of the most comprehensive in the industry. Eighteen per cent of users will visit a link in a phishing email that could compromise their data, the report found.

Not only is phishing on the rise, the phish are getting smarter. Criminals are "getting clever about social engineering", says Patrick Peterson, CEO of email security company Agari. As more people wise up to age-old PayPal and bank scams, for example, phishing emails are evolving. You might see a gift card offer or a notice about US President Barack Obama warning you about Ebola.

The phishing tests recognise that many security breaches are the result of human error. A recent study by the nonprofit Online Trust Alliance found that of more than 1,000 breaches in the first half of 2014, 90 per cent were preventable and more than one in four were caused by employees, many by accident.