Which Phishing Messages Have A Near 100% Click Rate?

Uploaded on 2018-03-07 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Training employees to spot phishing emails, messages and phone calls can’t be done just once or once a year if the organisation wants to see click rates decrease.

For one thing, employees come and go (and change roles) with regularity. Secondly, threats change over time. Thirdly, knowledge and practices that aren’t regularly reinforced will be lost. And, finally, awareness isn’t the same as knowledge.

“Just knowing a threat exists isn’t the same as knowing how to recognize and respond to a threat when it presents itself. In-depth education about phishing prevention is needed to create lasting behavior change,” Wombat Security researchers point out.

The statistics included in the company’s latest annual State of the Phish report show the difference made by both the tools used to train end users to recognise and avoid phishing attacks and how often they are used.

In the US, most organisations use computer-based online security awareness training and simulated phishing attacks to train employees, while UK organisations generally opt for more passive training methods over hands-on practice:


 
Also, 46 percent of US organisations use those tools biweekly or monthly, while UK organisations do that in just 21 percent of cases.

As a result, 61 percent of US organisations see quantifiable results from these efforts, compared to 28 percent of UK orgs.

You also might find yourself tempted by a “set it and forget it” security awareness training program, the researchers noted, but that’s not ideal. “When you plan and schedule your phishing tests months (or even years) in advance, you lose the ability to be responsive to emerging threats and to tailor activities based on your results.”

Other interesting findings

The company based the report on data from tens of millions of simulated phishing attacks, and they found that:

  • Personalised phishing tests (personalised email address, first name or last name) are no more effective than non-personalised ones.
  • End users are most likely to report suspicious emails in the middle of the week.
  • The topics and themes that are most tempting to end users are “online shopping security updates,” “corporate voicemail from an unknown caller,” and “corporate email improvements.”
  • Two simulated phishing templates had a near 100% click rate: one that masqueraded as a database password reset alert, and another that claimed to include an updated building evacuation plan.
  • Organisations in the telecommunications, retail, consumer goods, government, and hospitality industries have, on average, the worst click rate (15% to 13%), while those in the energy, finance, transportation and defense industrial base industries have the best (8% to 3%).
  • Average click rates fell across all four categories (corporate, commercial, cloud and consumer emails) this year in comparison to 2016.

 The researchers particularly saw a significant improvement in click rates on cloud-based templates (business-related emails include messages about downloading documents from cloud storage services, or going to an online sharing service to create or edit a document).


 
Surveys of infosec professionals and end users also revealed that:

  • On average, 53% of infosec professionals reported experiencing spear phishing in 2017.
  • 95% of organisations train end users on how to identify and avoid phishing attacks.
  • 45% of organisations said there are ramifications if their users continue to click on simulated phishing attacks. Consequences include counseling from a manager or IT department, additional training, and removal of access to systems, but also termination (11% of orgs) and a monetary penalty (5% of orgs).

Most end users know what phishing is, but only 16% of them know what smishing is. “As more and more employees use smartphones to connect to corporate systems and data, the potential rami cations of an uneducated workforce should not be ignored,” the researchers pointed out.

HelpNetSecurity

You Might Also Read: 

British IT Bosses Fear Sophisticated Cyber Threats:

Phishing Is  The Top Cyberattack Vector In 2017:

 

« GDPR – Two Thirds of Organisations Aren’t Ready
UK Think Tanks Hacked by Groups in China »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cloudbric

Cloudbric

Cloudbric is a cloud-based web security service, offering award-winning WAF, DDoS protection, and SSL, all in a full-service package.

Cobalt Strike

Cobalt Strike

Cobalt Strike is penetration testing software designed to execute targeted attacks.

RedSeal

RedSeal

RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events.

Span

Span

Span designs, develops and maintains information systems based on advanced technological solutions of global IT leaders.

Information & eGovernment Authority (iGA) - Bahrain

Information & eGovernment Authority (iGA) - Bahrain

The Information & eGovernment Authority facilitates many services catering to different parts of the community within the IT sector in Bahrain including information security.

Cyberens

Cyberens

Cyberens provide cybersecurity consulting services in IT sectors relating to defense and space, banking, industrial control systems and IoT.

Verifi

Verifi

Verifi is an award-winning provider of end-to-end payment protection and risk management solutions.

Mend.io

Mend.io

Mend.io (formerly known as WhiteSource) is an application security company built to secure today’s digital world.

eCosCentric

eCosCentric

eCosCentric provides software development solutions for the IoT, M2M & embedded systems market.

A3Sec

A3Sec

A3Sec provides professional solutions in the areas of Cybersecurity, Device Monitoring, Business Intelligence and Big Data.

OXO Cybersecurity Lab

OXO Cybersecurity Lab

OXO Cybersecurity Lab is the first dedicated cybersecurity incubator in the Central & Eastern Europe region.

BicDroid

BicDroid

BicDroid is a world leader in data and cyber security with innovative solutions that protect your data anywhere, anytime, against everything.

Truesec

Truesec

TRUESEC has an exceptional mix of IT specialists. We are true experts in cyber security, advanced IT infrastructure and secure development.

Tenet3

Tenet3

Tenet3's vision is to make optimal cyber strategy development tractable, data driven, with concrete success metrics. The result is cost effective cyber resilience for our customers.

Q-Bird

Q-Bird

Q*Bird's mission is to provide equipment for the current, and future European quantum internet.

CorePLUS Technologies

CorePLUS Technologies

CorePlus solutions are designed to empower organizations with the tools they need to ensure the utmost protection for their assets, people, and information.