Which Phishing Messages Have A Near 100% Click Rate?

Uploaded on 2018-03-07 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Training employees to spot phishing emails, messages and phone calls can’t be done just once or once a year if the organisation wants to see click rates decrease.

For one thing, employees come and go (and change roles) with regularity. Secondly, threats change over time. Thirdly, knowledge and practices that aren’t regularly reinforced will be lost. And, finally, awareness isn’t the same as knowledge.

“Just knowing a threat exists isn’t the same as knowing how to recognize and respond to a threat when it presents itself. In-depth education about phishing prevention is needed to create lasting behavior change,” Wombat Security researchers point out.

The statistics included in the company’s latest annual State of the Phish report show the difference made by both the tools used to train end users to recognise and avoid phishing attacks and how often they are used.

In the US, most organisations use computer-based online security awareness training and simulated phishing attacks to train employees, while UK organisations generally opt for more passive training methods over hands-on practice:


 
Also, 46 percent of US organisations use those tools biweekly or monthly, while UK organisations do that in just 21 percent of cases.

As a result, 61 percent of US organisations see quantifiable results from these efforts, compared to 28 percent of UK orgs.

You also might find yourself tempted by a “set it and forget it” security awareness training program, the researchers noted, but that’s not ideal. “When you plan and schedule your phishing tests months (or even years) in advance, you lose the ability to be responsive to emerging threats and to tailor activities based on your results.”

Other interesting findings

The company based the report on data from tens of millions of simulated phishing attacks, and they found that:

  • Personalised phishing tests (personalised email address, first name or last name) are no more effective than non-personalised ones.
  • End users are most likely to report suspicious emails in the middle of the week.
  • The topics and themes that are most tempting to end users are “online shopping security updates,” “corporate voicemail from an unknown caller,” and “corporate email improvements.”
  • Two simulated phishing templates had a near 100% click rate: one that masqueraded as a database password reset alert, and another that claimed to include an updated building evacuation plan.
  • Organisations in the telecommunications, retail, consumer goods, government, and hospitality industries have, on average, the worst click rate (15% to 13%), while those in the energy, finance, transportation and defense industrial base industries have the best (8% to 3%).
  • Average click rates fell across all four categories (corporate, commercial, cloud and consumer emails) this year in comparison to 2016.

 The researchers particularly saw a significant improvement in click rates on cloud-based templates (business-related emails include messages about downloading documents from cloud storage services, or going to an online sharing service to create or edit a document).


 
Surveys of infosec professionals and end users also revealed that:

  • On average, 53% of infosec professionals reported experiencing spear phishing in 2017.
  • 95% of organisations train end users on how to identify and avoid phishing attacks.
  • 45% of organisations said there are ramifications if their users continue to click on simulated phishing attacks. Consequences include counseling from a manager or IT department, additional training, and removal of access to systems, but also termination (11% of orgs) and a monetary penalty (5% of orgs).

Most end users know what phishing is, but only 16% of them know what smishing is. “As more and more employees use smartphones to connect to corporate systems and data, the potential rami cations of an uneducated workforce should not be ignored,” the researchers pointed out.

HelpNetSecurity

You Might Also Read: 

British IT Bosses Fear Sophisticated Cyber Threats:

Phishing Is  The Top Cyberattack Vector In 2017:

 

« GDPR – Two Thirds of Organisations Aren’t Ready
UK Think Tanks Hacked by Groups in China »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Fenror7

Fenror7

Fenror7 lowers the TTD (Time To Detection) of hackers, malwares and APTs in enterprises and organizations from 300 days on average to 24 hrs or less.

AVG Technologies

AVG Technologies

AVG is focused on providing home and business computer users with the most comprehensive and proactive protection against computer security threats.

Arete

Arete

Arete is a global cyber risk company whose mission is to transform the way organizations prepare for, respond to, and prevent cybercrime.

IPQualityScore (IPQS)

IPQualityScore (IPQS)

IPQS anti-fraud tools provide a real-time fraud score to analyze how likely a user or visitor is to engage in fraudulent behavior.

AppGuard

AppGuard

AppGuard prevents breaches by blocking applications from performing inappropriate processes using our patented dynamic isolation and inheritance technologies.

ITRenew

ITRenew

ITRenew is a leading global IT lifecycle management solutions company, specializing in onsite data center decommissioning and data erasure services.

ComoNExT Innovation Hub

ComoNExT Innovation Hub

ComoNExT is a Digital Innovation Hub and a startup incubator with a focus on the issues of digital transformation and Industry 4.0.

Cyber Risk Aware

Cyber Risk Aware

Cyber Risk Aware provide a security awareness and phishing simulation platform that focuses on real threats and educates and empowers employees to be the first line of defence.

SafeTech Informatics & Consulting

SafeTech Informatics & Consulting

Safetech's OTShield detects, prevents and analyses cyber-attacks in SCADA and Industrial IoT systems by utilising state of the art deception techniques.

Private Machines

Private Machines

Private Machines develops unique patent-pending technology protects cloud and data center workloads.

PreCog Security

PreCog Security

PreCog Security is a US based cybersecurity risk mitigation company. We specialize in helping you find, minimize and manage vulnerability risk within your product, network and process.

Clear Thinking Solutions

Clear Thinking Solutions

Clear Thinking is an IT Solutions company specialising in secure & compliant technical services.

CybersCool Defcon

CybersCool Defcon

CybersCool is committed to educate and train, re-skill and up-skill the current workforce of various industries and businesses in the knowledge and know-how of cybersecurity.

One82

One82

Serving emerging small and medium-sized businesses in California and neighboring regions for over 20 years, One82 has established itself as the most dependable provider of IT support services.

Vertex Cyber Security

Vertex Cyber Security

Vertex provide Cyber Security Services to small to large businesses including Advise, Consulting, Adding Security Partnership, Penetration Testing, ISO 27001-2 and Audits.

Dexian

Dexian

Dexian is a leading provider of staffing, IT, and workforce solutions with nearly 12,000 employees and 70 locations worldwide.