PhishMe (now Cofense) Report Shows How Phishing Susceptibility Rates Can be Deceiving

A new enterprise phishing resiliency and defense report from PhishMe confirms phishing campaigns increased by 65% in 2017.

As PhishMe  (now Cofense) explains in the report, the rise in phishing attacks is easy to explain. Phishing attacks are an easy and low-cost way for hackers to make money. For businesses, the danger of phishing is clear. A typical phishing attack on a mid-sized company costs $1.6 million to resolve, according to research conducted by Cloudmark. Figures from the FBI suggest the global cost of business email compromise attacks alone was $5 billion between 2013 and 2016.

The report was compiled using data collected through the PhishMe suite of products. These include the PhishMe Simulator phishing email simulation service; PhishMe Reporter – a one-click way for employees to report suspicious emails; PhishMe Triage – an automated analysis package that assesses and prioritizes reported emails; and the PhishMe Intelligence threat intelligence service that alerts customers to new phishing threats.

The report shows that educating the workforce about phishing and conducting regular training can greatly reduce user susceptibility to phishing attacks. When this is combined with phishing simulation exercises, susceptibility to phishing attacks can fall by as much as 95%.

This year’s report shows user susceptibility to phishing attacks is continuing to fall. In 2015, the aggregated organizational susceptibility rate was 14.1%. The rate fell to 12.9% in 2016 and 10.8% in 2017. These figures show that organizations become more secure as their anti-phishing program matures. A mature anti-phishing program involves ongoing training and phishing simulations that become increasingly difficult.

Other reports from anti-phishing solution providers similarly show that phishing susceptibility can be reduced to under 5%, but those percentages can easily give organizations a false sense of security.

PhishMe cites the experience of one client who launched a PhishMe training and simulation campaign on its 4,500 employees around the world. It too managed to reduce susceptibility rates to 5%. Once that milestone had been reached, the company decided to raise the bar further and started conducting campaigns targeting specific departments. While the overall susceptibility rate was 5%, the department-specific campaigns revealed some departments still had susceptibility rates of 40%.

Those figures showed its training program needed to evolve. The firm has taken action and increased training for susceptible groups, and increased the difficult of its phishing simulations. The firm is now able to keep up with the complexity of today’s attacks.

The report also revealed what types of phishing emails are proving the most successful. Attacks on businesses that target employees as consumers are proving to be the most effective, in particular entertainment and social scams. Many phishing awareness campaigns conducted by businesses use work-related phishing emails for their simulations.

Employees may be much better at identifying these types of scams, giving employers a false sense of confidence. The reality could be that employees are very bad at spotting the consumer-related scams. Most businesses do not use these consumer-related emails in their phishing simulations.

The top consumer-focused scams that had the highest susceptibility rates were holiday e-card alerts, new rewards programs, Ebola outbreaks, bed bugs bulletins, funny pictures, and Thanksgiving recipes.

The 2017 Phishing Resiliency and Defense Report can be downloaded from PhishMe on this link.

Author: NetSec Editor