One can learn a lot when you phish 82 402 people, such as what tactics work best, which is why F-Secure did just that as part of its latest study.
Titled To Click or Not to Click: What we Learned from Phishing 80 000 People can be read in full here (pdf).
The study was conducted by sending individuals from four different organisations four simulated phishing emails. The emails were based on the most common phishing tactics used by cybercriminals namely:
- CEO Fraud
- Internal HR Mimic
- Document Share
- Service Issue Notifications
“If the individual clicked on the link, they were taken to a web page informing them that the email was part of a simulation and provided a short survey that explored some of these factors. Those individuals that filled out the survey were provided with point in time training, explaining how to identify malicious emails in the future,” reports F-Secure.
The most successful tactic was impersonating HR by way of an email about vacation time. This tactic saw 22 percent of recipients clicking the malicious email. By comparison, emails claiming to be from the CEO were only opened by 16 percent of recipients.
Document Share and Service Issue Notifications were the least successful drawing in 7 percent and 6 percent of recipients respectively.
Perhaps the most concerning results from the study is that recipients in IT and DevOps teams were almost as likely to click phishing emails. In one company 26 percent of those from DevOps clicked a malicious email and 24 percent of those from IT teams clicked an email compared to 25 percent of the organisation.
Furthermore, the study found that these departments were no better at reporting phishing attempts than others. In one organisation, IT and DevOps teams came third and sixth out of nine departments in terms of reporting. In another organisation, DevOps was the twelfth best at reporting out of seventeen departments, while IT was fifteenth.
“The privileged access that technical personnel have to an organisation’s infrastructure can lead to them being actively targeted by adversaries, so advanced or even average susceptibility to phishing is a concern,” explained F-Secure Service Delivery Manager, Matthew Connor.
“Post-study surveys found that these personnel were more aware of previous phishing attempts than others, so we know this is a real threat. The fact that they click as often or more often than others, even with their level of awareness, highlights a significant challenge in the fight against phishing,” Connor adds.
One of the main takeaways for F-Secure from this study was that reporting suspected phishing needs to be made more efficient.
The study found that in the first minute of receiving a phishing email, three times the number of people who had reported the email had clicked the malicious link instead.
One organisation which gives employees the option to report phishing with a single click saw 47 percent of its participants making use of that reporting process. Yes, there is a long way to go but with regular training and simple reporting, the fight can be fought.
“The evidence in the study clearly points to fast, painless reporting processes as common ground where security personnel and other teams can work together to improve an organization’s resilience against phishing,” explains F-Secure director of consulting, Riaan Naude.
We should make it clear that cybercriminals outnumber cybersecurity teams and as such, the bad guys will always have an upper hand when it comes to creating new schemes. As such, it’s vital that firms invest in training and security solutions that make fighting cybercrime easy for the entire organisation.
[Image – CC 0 Pixabay]
