How worried should organizations be about their phishing click rate?

Overall end user click rates remained high in the face of this year’s phishing simulation, a Terranova Security report reveals. It also details the rise in the number of users who would’ve compromised their devices with malware had the phishing simulation not been a safe testing environment.

The report results emphasize the growing need for all organizations to address the human element of cyber security by implementing engaging, informative security awareness training programs that leverage real-world phishing simulations to change the right end user behaviors.

These revelations come at the end of a year where digital transformation accelerated at many workplaces worldwide. The widespread adoption of remote or hybrid work cultures and related technologies enhanced collaboration and productivity, but it also meant cyber security awareness levels were tested much more frequently and with increasingly complex cyber threats.

“The third edition of the report is a powerful reminder to organizations everywhere that deploying real-world phishing simulations as an educational tool is more crucial than ever,” said author and Terranova Security CEO Lise Lapointe.

“By testing end user knowledge with simulated attacks similar to threats they may encounter in their everyday activities, organizations can more easily change user behaviors and keep their sensitive information safe.”

End users still inclined to click on phishing email links

The report revealed that, in general, a significant portion of end users are still inclined to click on phishing email links and, in the case of this year’s simulation template, download malicious file attachments when prompted.

19.8% of end users who received the phishing simulation email clicked on the initial message’s phishing link, which is on par with the 2020 edition of the event. In total, 14.4% of all end users failed to recognize the simulation’s resulting webpage as unsafe and clicked on the malicious file’s download link.

These realities mean that the number of initial clickers who ended up downloading the phishing simulation’s webpage file exceeded 70%, representing an increase of nearly three percentage points from the previous year.

Phishing simulation click rates by region and industry

• When it came to downloading the malware document, North America fared best as a region (11.8%), while Europe took the runner-up slot (14.9). The Asia Pacific region finished with the highest malware download rate.
• For click rates by industry, Education, Finance and Insurance, and Information Technology exhibited the highest totals, all scoring over 25%. Meanwhile, Healthcare, Transport, and Retail all kept their click rates under 10%.
• Information Technology had the highest click-to-download ratio across all industries, with 84% of those who clicked on the initial phishing link eventually downloading the malware file.