Which Phishing Messages Have A Near 100% Click Rate?

Training employees to spot phishing emails, messages and phone calls can’t be done just once or once a year if the organisation wants to see click rates decrease.

For one thing, employees come and go (and change roles) with regularity. Secondly, threats change over time. Thirdly, knowledge and practices that aren’t regularly reinforced will be lost. And, finally, awareness isn’t the same as knowledge.

“Just knowing a threat exists isn’t the same as knowing how to recognize and respond to a threat when it presents itself. In-depth education about phishing prevention is needed to create lasting behavior change,” Wombat Security researchers point out.

The statistics included in the company’s latest annual State of the Phish report show the difference made by both the tools used to train end users to recognise and avoid phishing attacks and how often they are used.

In the US, most organisations use computer-based online security awareness training and simulated phishing attacks to train employees, while UK organisations generally opt for more passive training methods over hands-on practice:


 
Also, 46 percent of US organisations use those tools biweekly or monthly, while UK organisations do that in just 21 percent of cases.

As a result, 61 percent of US organisations see quantifiable results from these efforts, compared to 28 percent of UK orgs.

You also might find yourself tempted by a “set it and forget it” security awareness training program, the researchers noted, but that’s not ideal. “When you plan and schedule your phishing tests months (or even years) in advance, you lose the ability to be responsive to emerging threats and to tailor activities based on your results.”

Other interesting findings

The company based the report on data from tens of millions of simulated phishing attacks, and they found that:

  • Personalised phishing tests (personalised email address, first name or last name) are no more effective than non-personalised ones.
  • End users are most likely to report suspicious emails in the middle of the week.
  • The topics and themes that are most tempting to end users are “online shopping security updates,” “corporate voicemail from an unknown caller,” and “corporate email improvements.”
  • Two simulated phishing templates had a near 100% click rate: one that masqueraded as a database password reset alert, and another that claimed to include an updated building evacuation plan.
  • Organisations in the telecommunications, retail, consumer goods, government, and hospitality industries have, on average, the worst click rate (15% to 13%), while those in the energy, finance, transportation and defense industrial base industries have the best (8% to 3%).
  • Average click rates fell across all four categories (corporate, commercial, cloud and consumer emails) this year in comparison to 2016.

 The researchers particularly saw a significant improvement in click rates on cloud-based templates (business-related emails include messages about downloading documents from cloud storage services, or going to an online sharing service to create or edit a document).


 
Surveys of infosec professionals and end users also revealed that:

  • On average, 53% of infosec professionals reported experiencing spear phishing in 2017.
  • 95% of organisations train end users on how to identify and avoid phishing attacks.
  • 45% of organisations said there are ramifications if their users continue to click on simulated phishing attacks. Consequences include counseling from a manager or IT department, additional training, and removal of access to systems, but also termination (11% of orgs) and a monetary penalty (5% of orgs).

Most end users know what phishing is, but only 16% of them know what smishing is. “As more and more employees use smartphones to connect to corporate systems and data, the potential rami cations of an uneducated workforce should not be ignored,” the researchers pointed out.

HelpNetSecurity

You Might Also Read: 

British IT Bosses Fear Sophisticated Cyber Threats:

Phishing Is  The Top Cyberattack Vector In 2017:

 

« GDPR – Two Thirds of Organisations Aren’t Ready
UK Think Tanks Hacked by Groups in China »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Palo Alto Networks

Palo Alto Networks

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate.

Logpoint

Logpoint

Logpoint is a creator of innovative security platforms to empower security teams in accelerating threat detection, investigation and response with a consolidated tech stack.

OCERT

OCERT

OCERT is the National Computer Emergency Response Team of Oman.

Chubb

Chubb

Chubb is the world’s largest publicly traded property and casualty insurer. Commercial services include Cyber Risk insurance.

Bayshore Networks

Bayshore Networks

Bayshore Networks was founded to safely and securely protect Industrial IoT (IIoT) networks, applications, machines and workers from cyber threats.

RiskSense

RiskSense

RiskSense empowers enterprises and governments to reveal cyber risk, quickly orchestrate remediation, and monitor the results.

Coro Cybersecurity

Coro Cybersecurity

Coro (formerly Coronet) empowers organizations to protect against malware, ransomware, phishing, and botnets - across devices, users, and cloud applications.

WISeKey

WISeKey

WISeKey is a leading cybersecurity company currently deploying large scale digital identity ecosystems for people and objects using Blockchain, AI and IoT.

Augusta HiTech

Augusta HiTech

Augusta Hitech is a focused product development, software services and technology consulting company. Our Vision is to become the most socially impactful and innovative technology company in the world

OffSec

OffSec

OffSec have defined the standard of excellence in penetration testing training. Elite security instructors teach our intense training scenarios and exceptional course material.

Protek International

Protek International

Protek International delivers world-class Digital Forensics, eDiscovery, Cyber Security, and related Advisory services.

VikingCloud

VikingCloud

VikingCloud (formerly Sysnet Global Solutions) offers organizations an integrated cybersecurity and compliance solution to make informed, predictive, and cost-effective risk mitigation and prevention

Infinidat

Infinidat

Infinidat delivers enterprise-proven solutions for data storage, data protection, business continuity, and sovereign cloud storage.

MillenniumIT ESP (MIT ESP)

MillenniumIT ESP (MIT ESP)

MillenniumIT ESP provides solutions and services around Core Infrastructure, Cloud, Cyber Security, Enterprise Applications, Intelligent Automation and Data, Smart Buildings, and Managed Services.

Qrypt

Qrypt

Qrypt has developed the only cryptographic solution capable of securing information indefinitely with mathematical proof as evidence.

OptimEyes.ai

OptimEyes.ai

OptimEyes.ai is a unique AI-powered, on-demand SaaS solution for cyber-security, data privacy and compliance risk modeling.