Why are hackers winning? Because phishing still works (in fact, it's getting 'better')

What get stolen during a phishing attack. Verizon chart. Click for full report.

Sometimes, people get tired of hearing the same old advice -- but they need to hear it again, anyway. Eat healthier. Exercise more. Spend less. And

DON'T CLICK ON ATTACHMENTS IN EMAILS YOU DON'T EXPECT.

I know, I know, you would never do that. But you'll be stunned to find out how many people do. To prevent anything bad happening to your computer or even your business as a whole, it is imperative to install programs like cybersecurity software, to be on the safe side. There's nothing worse than losing all your important files and someone else being in possession of your important details. In fact, that's the big lesson from Verizon's annual Data Breach Investigations Report. We'll get to that in a moment. But first, let me discuss human nature -- because that's what we're really talking about here.

I'd have a really tough time pitching a story to an editor about phishing. That story is so 1999. And yet, there's a reason your inbox and mine is still full of notes claiming to be from banks that need your account number and password. Phishing works.

And it doesn’t only work on you. It works on big organizations. Like hospitals. There are multiple reports that the dramatic ransomware attacks suffered recently by health care providers -- you know, the ones that reduced hospitals to scheduling surgeries with pencil and paper -- began with successful phishing emails. Yes, employees click on emails, and they click on attachments, and then, hackers are off to the races.

Why does this keep happening? Human nature is pretty tough to overcome. Think back to one of the original global virus epidemics -- the LoveBug. It worked for one reason: Who doesn't want to get a love letter?

Techniques have only improved since then. Today, hackers can hand-craft phishing emails with personal details, such as "Our boss Rick really needs you to open this file for him."

The other reason Phishing works is borrowed from the bank Pink Floyd -- the Momentary Lapse of Reason. You can have your guard up 23 hours and 59 minutes a day (I hope you aren't reading email that much), but all it takes is one slip, and down the hole the hackers go. We all get distracted and do dumb things. We are all vulnerable some of the time. Hackers have 24 hours every day to attack.

And so, phishing works. In fact, Verizon seems to think it's actually worked "better" last year than the year before. In the dataset Verizon studied, 30 percent of phishing messages were opened -- compared to 23 percent the year before. And 12 percent of the time last year, recipients went on to click a malicious attachment or link, enabling the attack to succeed. (Last year, 11 percent).

Ever more alarming, on average, it took fewer than 4 minutes for targeted recipients to open a phishing email and click on a malicious link. Hackers get to work quickly. Anti-Phishing protection services by companies like fraudwatchinternational.com are becoming increasingly popular to try and prevent phishing emails. If you have been the recipient of a phishing email, it may be worth contacting a company like Fraud Watch International for help and advice. But as long as CEO fraud tactics still exist where the phisher creates an email disguising themselves as the CEO of a company, much more needs to be done to prevent these sorts of attacks.

It's important to know that the attacks targeted hospitals and other organizations are not your father's phishing. These bad guys aren't trying to direct victims to a website and trick them into entering credentials or account numbers. They simply want to execute rogue code on the victims computer through an exploit, so they can then have their way with the target network -- install ransomware, for example. In the old attack, victims had a third moment to pause and consider the gravity of their actions (open the email, click on link, enter data). New phishing emails only offer two such moments, and they are much more passive. That makes phishing more dangerous.

And that's partly why ransomware made the biggest jump in Verizon's list of most common attacks.

Red Tape Wrestling Tips: Training, filter, segmentation

Email users still aren’t getting the message. As Verizon’s report puts it: “Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff.”

So what can you do? Don't be afraid to give -- or receive -- old warnings about diet, exercise, and phishing. If you are too smart for all this, endure the training for the sake of your colleagues, and your organization. Someone on your team -- probably several someones -- has clicked on a phishing email recently. The data you save may be your own.

In addition to training, organizations can help themselves by filtering out phishing emails so they never get to employees in the first place. And perhaps most critically, they should carefully segment networks so when human nature strikes, the damage is limited.