Data: Phishing May Trick Your Employees More Often Than You Think
Read
This blog post was originally published on August 13, 2018. It was updated on October 29, 2019.
New research from PhishNet by Kaufman Rossin® reveals what employees click on most
Phishing and social engineering continue to be among the most common types of cyber attack impacting businesses. These accounted for nearly half of corporate/internal network compromises and 60% of both point-of-sale and cloud compromises last year, according to the 2019 Trustwave Global Security Report. Even organizations with dedicated cyber defense budgets, such as financial institutions and healthcare providers, find themselves challenged by phishing attacks.
Most organizations have valuable information, including account numbers, customer lists, trade secrets, intellectual property, and personal information, that is increasingly attractive to cybercriminals. Failing to protect this information can expose your business to financial, operational, reputational, legal and regulatory risk. In some cases, the impact can be significant enough to bankrupt your organization.
Fortunately, Kaufman Rossin’s research indicates there are ways to reduce the vulnerability of your people and your organization to phishing attacks.
Kaufman Rossin gathered data from more than 163 phishing simulations performed for clients in the past three years, which included organizations throughout the United States and Latin America.
PhishNet by Kaufman Rossin® is a cybersecurity awareness, testing and training service that assesses threats and risks to an organization and sends customized, harmless phishing emails to its employees. Employees who click are instantly redirected to a brief training to build awareness. Kaufman Rossin’s cybersecurity professionals analyze the results and provide reporting to help the organization’s management team identify and measure the areas of highest risk.
How often are employees clicking on phishing emails?
According to Verizon’s 2019 Data Breach Investigations Report (DBIR), on average 3% of people will click on a phish (i.e., link or attachment in an email) from a typical phishing campaign. However, the click rates for simulations performed through PhishNet by Kaufman Rossin® are notably higher than the DBIR average, consistent with expectations, as the service involves increasing the difficulty of phishing email scenarios according to an organization’s inherent risks and management’s instructions.
Kaufman Rossin’s research specifically looks at organizations in the financial services, healthcare and professional services sectors, although there are takeaways from this data that apply across industries. Among these industries, professional services has the highest average click rate at 18%. Healthcare is second at 12%, followed by financial services at 10%.
In addition to anti-phishing technology, an effective cybersecurity awareness, testing and training program continues to be one of the most powerful defense resources available. Proactive organizations can use this type of program not only to measure, but also to modify behavior and reinforce compliance with other information security policies and procedures.
What types of phishing emails do employees click on?
One significant challenge for implementing an effective cybersecurity training program is that cross-disciplinary skills are needed: training and education personnel tend to have the skills needed for delivering the training, but IT personnel tend to understand the threats and weaknesses involved.
Kaufman Rossin’s data suggests that risks may be directly addressed by designing procedures and training against the most effective phishing pretexts and scenarios: human resources (HR) message, voicemail notification, regulatory or business service, and security alert.
HR message – The highest click rates are for emails related to human resources messages, such as messages that refer to vacation, pay, or benefits. Not surprisingly, employees tend to get emotional – and sometimes act quickly – when their compensation or benefits are being discussed. To reduce this risk, train employees to recognize these scenarios and design communication channels to be less susceptible to these scenarios (e.g., sharing some information through a company portal instead of email).
Voicemail notification – Phishing attacks imitating voicemail notifications are also frequently clicked on. In many cases, targeted employees will click on a voicemail notification in an email even if the voicemail service provider mentioned in the email is different than the one the organization uses – or worse, even if the organization’s service doesn’t send emails. When asked why they clicked, participants expressed curiosity about the message or anxiety about missing important information. Training to recognize these types of scenarios presents an opportunity to educate employees about the broader issue of social engineering (i.e., attackers using emotions to manipulate behavior). Fear, greed, and curiosity are often used by attackers designing a deceptive scenario, such as the use of curiosity in a voicemail pretext.
Regulatory or business service – Regulatory agencies, associations and vendors often send notifications to professionals, which could lead to a dangerous habit of clicking on links in emails without hesitation. These are easy pretexts for an attacker to guess when they gather basic information about your organization. Training about these types of phishing emails provides the opportunity to discuss an attacker’s use of reconnaissance to gather information for designing their attack scenarios. Additionally, train employees not to let their guard down just because a communication appears to come from a trusted association or authority. Visiting a sender’s website directly, instead of clicking on links in emails or downloading unexpected attachments, is often the safer route, even when those communications seem to be coming from an important sender.
Security alert – If your internal or external IT team sends emails to employees, they should consider adopting a standard format for security alerts and providing examples to educate employees on what those alerts look like. Implementing these changes should make it easier for employees to spot a phishing email using the pretext of a security alert.
Going forward
For the foreseeable future, phishing attacks continue to be one of the most popular methods of cyber attacks across industries. Organizations in highly regulated industries and those with sensitive information should be especially concerned about the risk of employees falling victim to phishing, and potentially exposing the organization to significant financial losses and other risks.
A robust cybersecurity awareness, testing and training program can make a significant difference in an organization’s ability to secure its people, resources, and reputation – especially when it includes highly customized phishing testing and training designed with an understanding of the most effective types of attacks and the organization’s unique profile and challenges.
