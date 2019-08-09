You should feel cranky about all the phishing emails you get. Because getting your brain in a grumpy gear will elevate the odds of your not getting fooled by the next phony invitation to log into your account.

At a briefing Wednesday evening at the Black Hat security conference in Las Vegas, Google security researcher Elie Bursztein and University of Florida security professor Daniela Oliveira shared that and other insights about the business of coaxing people into giving up their usernames and passwords.

The first thing to know about phishing: It’s not as random and sloppy as it might seem. Said Bursztein: “Phishers have constantly refined.”

The roughly 100 million phishing emails Google blocks every day fall into three main categories: highly targeted but low-volume spear phishing aimed at distinct individuals, “boutique phishing” that targets only a few dozen people, and automated bulk phishing directed at thousands or hundreds of thousands of people.

Those categories differ in duration. Google typically sees boutique campaigns wrap up in seven minutes, while bulk phishing operations average 13 hours.

Google also sees most phishing campaigns target its commercial mail service. Bursztein said Google-hosted corporate email accounts were 4.8 times more likely to receive phishing emails than plain old Gmail accounts.

Email services were the most commonly impersonated login page in those attempts, at 42%, followed by cloud services (25%), financial institutions (13%), online retail (5%), and delivery services (4%).