How likely are employees to fall prey to a phishing attack?

22% of employees are likely to expose their organization to the risk of cyber attack via a successful phishing attempt, a Phished report reveals.

Analysis of the broad and diverse data set reveals how vulnerable the average employee is to phishing attacks and offers insight into key trends, including which topics lead to the most successful phishing attacks and which message formats are most likely to trick employees.

The data shows that of employees who open a phishing message, 53% are likely to click a malicious link contained within it. When asked to disclose data, for example on a spoofed login page, 23% of recipients enter their data. If a message contains an attachment, 7% of all recipients will download and open it.

“Although these figures already point to a systematic problem among the working population, perhaps most concerning is the fact that no less than 7% of all employees open a suspicious email attachment. While phishing – usually – requires an extra step before the real damage is done, a malicious attachment can have serious consequences immediately,” said Arnout Van de Meulebroucke, CEO of Phished.

Public v private sector phishing

The report, which analysed simulation data from both private and public sector organizations, found that employees in the public sector are 3% more likely than those in private sector organizations to fall victim of a successful phishing attempt.

UK public sector employees were slightly less susceptible (2.5%) to phishing attempts than the global 3% average.

Most successful phishing topics

Globally, COVID-19 related topics most often led to successful phishing attacks in 2021. This included messages around working from home, Coronavirus testing facilities and vaccinations, with fake news and misinformation campaigns fuelling malicious actors to tap into the general anxiety about the risks of vaccines and side-effects.

After this, phishing messages around the technology and IT associated with home working were most successful in encouraging employees to click links and reveal data. This included messages around popular collaboration platforms, as well as technical support for passwords and VPNs.

COVID-19 messages were also the most likely to fool recipients in the UK. However, in contrast to other countries, UK employees were almost as likely to be successfully phished via messages about orders, deliveries and shipments. HR-related topics, for example those relating to fines, dismissal, holidays or sensitive content, were also more likely to fool UK employees than IT-related messages.

Conclusions

• The data demonstrates that phishing remains a key attack vector for cybercriminals looking to target both private and public sector organizations worldwide. 2021 created a perfect cybersecurity storm, with attackers taking advantage of increased government communication around the COVID-19 crisis while phishing messages themselves become more convincing. Employees – anxious about the global health crisis – are struggling to distinguish these messages from legitimate communications.
• The shift to home working has created greater risk, with many employees using their smartphones to open emails. Smartphones generally make it more difficult to recognise the origin of a potential email and mean employees are significantly more susceptible to phishing.
• In 2022 we are likely to see this trend continue, as cybercriminals become increasingly sophisticated in their attacks. COVID-19 will continue to be a popular topic for attackers in 2022, but there are a number of new trends emerging.
• Unwanted calendar invitations, where attackers spam your calendar with meeting invites, are becoming increasingly common, while QR code-based fraud is also something Phished expects to see more of in the new year.
• Perhaps most concerning is the potential for deep fakes to make phishing more convincing and open up voice as a new vector for attacks.

“The task for the coming year is clear: organizations must focus explicitly on awareness among their employees. In recent years, the volume of phishing attacks has increased exponentially and without a radical countermovement, these campaigns will continue to claim more victims, resulting in major losses for organizations. A one-off workshop does not help against phishing. People need thorough, repeated training to help them recognise increasingly sophisticated phishing messages,” concludes Van de Meulebroucke.