Phishing is big business for cyber criminals. According to PhishMe’s Enterprise Phishing Resiliency and Defense Report 2017, phishing attacks rose by 65% last year, with the average attack costing mid-sized companies $1.6 million (about £1.2 million).
This is despite many respondents claiming that they are no longer fooled by cyber criminals’ most common techniques to trick people into clicking malicious links and opening emails. Experts say that phishing attacks are most successful when they create a sense of urgency, fear or curiosity, but these were near the bottom of a list of self-reported motivations:
- Entertainment: 19.5%
- Social: 16.0%
- Reward/recognition: 11.9%
- Job function: 11.8%
- Urgency: 10.7%
- Fear: 10.4%
- Opportunity: 7.8%
To see how true these findings were, PhishMe created a series of simulated phishing emails based on each factor.
The most lucrative scams across the top three motivators (entertainment, social and reward/recognition) were clicked on about 15%–25% of the time. Holiday e-card alerts were the most successful scam (24.8%), followed by rewards programmes (22.3%), various other celebratory e-cards and employee satisfaction surveys (17.2%).
These pale in comparison to almost all scams that prey on fear, urgency and curiosity. PhishMe’s simulated email from a bar association claiming that a grievance has been filed against the recipient was the most successful scam, being clicked on 44% of the time. The next three most successful scams also came from these categories: an email claiming the recipient could claim medical insurance (39.2%), an email purportedly from an accountants claiming a complaint had been filed against the recipient (34.2%) and a message about an apparent Ebola outbreak (27.9%).
It’s bad enough that people are falling for these scams, but they are also struck by the Dunning–Kruger effect. The subjects of this study know enough about phishing that they believe they aren’t fooled by the scams’ attempts to make them fearful, etc., but they don’t know enough to spot and avoid such emails when they receive them.
PhishMe writes that people may think that the frequency of phishing emails using the same techniques has “conditioned [them] to spot work-related scams”, but its report suggests that the most successful attacks are the ones that target people’s personal lives.
This could be incredibly perilous for employers, as staff often fall for these tricks while at work. “Employees will take a break to do personal business online, so you can expect work and home email to continue blurring,” the report says. “Personal devices in the workplace often have multiple email accounts – the source of an email may not be distinguished as it should.”
Help your staff avoid phishing attacks
Organisations can reduce the threat of phishing with technological defences such as spam filters, but these won’t always be 100% successful. Employees will therefore inevitably receive some phishing emails, and they need to be aware of the extent of the problem. PhishMe’s report shows how true the phrase ‘a little bit of knowledge is a dangerous thing’ can be. If employees aren’t fully educated on phishing, they are liable to underestimate the threat.
Staff awareness courses can help organisations stay secure, but only if they cover the threat comprehensively and effectively. Our Phishing Staff Awareness Course helps employees identify and understand phishing scams, explains what happens when people fall victim and shows them how to mitigate the threat of an attack.
You might also benefit from a Simulated Phishing Attack, which will establish how vulnerable your staff are to phishing emails and can help you:
- Satisfy compliance and regulatory requirements;
- Adapt future testing to areas and employees of greatest risk; and
- Reduce the number of employee clicks on malicious emails.