Findings show training should leverage practical hands-on exercises
Large organizations of 10,000 employees or more are most susceptible to phishing attacks promising a gift, despite potentially having access to more cyber security resources than smaller businesses, according to a new study.
The new Phishing Benchmark Global Report emphasizes the growing need for all organizations to implement engaging and informative security awareness training programs. Ideally, those programs would leverage real-world phishing simulations to ensure employees are aware of the latest phishing tactics, can detect and report cyber threats and, in time, change unsafe online behaviors.
According to the report, based on the 2022 Gone Phishing Tournament hosted by Fortra’s Terranova Security, many employees are still prone to answering requests for sensitive information – even when they come from unknown or suspicious email senders. This level of trust leaves an organization’s confidential data vulnerable to hackers.
“Cyber threats continue to grab headlines worldwide, so it’s encouraging to see improvement from last year’s phishing simulation,” says Theo Zafirakos, chief information security officer at Terranova Security. “However, let’s not forget how, based on their context, each phishing scenario may convince a different set of users to click.”
Seven percent of all end users who participated in the 2022 phishing simulation clicked on the link in the phishing email. In addition, three percent of all end users failed to recognize the warning signs of the simulation's webpage and proceeded to enter their credentials on the malicious webpage.
Despite the seemingly low totals, this year's form completion rate poses a cause for concern, according to Terranova. Globally, 44 percent of those who clicked on the phishing simulation link eventually completed the web form on the subsequent webpage and submitted their login credentials.
“To put these numbers into perspective, if an enterprise-level organization of 10,000 employees had been targeted with a phishing scam like the one depicted in the simulation, 700 employees would have clicked on the phishing link, and over 300 of those clickers would have entered their password, which can be used to compromise systems and sensitive information," said Zafirakos. "Given our reliance on online systems and data to conduct many business transactions and services, this reality is concerning.”
The simulation found that employees from large organizations are most susceptible to phishing attacks. According to participant data, organizations with 10,000 employees or more rarely missed security awareness training, indicating a potential lack of effectiveness.
The 2022 Gone Phishing Tournament – co-sponsored by Microsoft – took place in October, 2022 to coincide with Cybersecurity Awareness Month. There were over 250 participating organizations and over 1.2 million phishing emails sent out during this year’s event.