Nine in ten employees likely to fall foul of a phishing scam
Nearly nine out of ten employees are likely to open a phishing email on the same day they receive it, according to new research. 87 per cent of employees would open a phishing email on the same day it is sent, according to new research from phishing intelligence firm PhishMe.
The firm sent eight million simulated phishing emails to more than 3.5 million employees over a thirteen-month period, spanning 23 industries globally.
However, PhishMe’s findings indicated that greater strides need to be taken to ensure employees are fully educated on the nature of threats posed by phishing attacks and how they can be avoided.
In addition to the significant majority of employees opening phishing emails within the first few hours of receiving them, 67 per cent were likely to repeat their mistake and open further phishing emails.
Most employees responded to phishing emails in the morning, with the number of replies peaking at approximately 8am local time and the most successful phishing campaigns used business communication themes.
The most successful methods were emails with the subject line ‘File from Scanner’ or ‘Unauthorised activity/access’, which were accessed by 36 and 34 per cent of respondents respectively.
Phishing emails were also most commonly opened on a Wednesday.
PhishMe discovered that despite being seen as a weak link in IT security, raising employee awareness and conducting “behavioural conditioning” resulted in a 97 per cent decrease in employee susceptibility to phishing attacks after just four simulations.
“Analytics resulting from the report reveal three very pertinent conclusions,” said PhishMe CEO and co-founder Rohyt Belani.
“Enterprises remain vulnerable to phishing-driven compromises, they need to place more reliance on employees to help them defend their organisations, and consistent training turns employees into informants that can spot attacks before they turn into catastrophes.”
PhishMe advocated internal use of simulated phishing activities by companies to find out the sort of threats their employees were most susceptible to, before providing training on context, content and themes to look out for.