What are the most successful phishing scams? Warnings about undelivered parcels? Security alerts that require users’ immediate attention? Documents that has been shared by contacts?
According to a recent analysis by anti-phishing solution provider PhishMe, the most successful phishing scams, which have almost a 20% success rate, involve the use of entertainment-based triggers to get users to take the desired action.
For its analysis, the PhishMe team analyzed the results of more than 52 million phishing simulation exercises conducted using PhishMe Simulator – The company’s phishing simulation platform. The platform allows organizations to conduct simulated phishing campaigns to test the effectiveness of their security awareness training programs, to give employees practice at identifying phishing emails in a safe environment, and to identify weak links – employees that require further security awareness training.
The data were taken from phishing simulations between January 2015 and July 2017, and the simulations were conducted in more than 50 countries on more than 1,400 organizations. The results of the firm’s analysis were published in its recent 2017 Enterprise Phishing Resiliency and Defense Report.
In previous years, the most common emotional motivators behind successful phishing attacks were urgency, curiosity, and fear; however, this year it was entertainment, social media and reward/recognition that were the most successful motivators.
Parking ticket scams, delivery issues, and security alerts use fear to illicit a response. Orders and cancelled transactions use urgency, while final versions of documents and refunds for purchases rely on employees’ curiosity. These scams are commonly tested in phishing simulations and employees are now much better at identifying the phishes.
However, there has been an increase in susceptibility to entertainment related phishes, such as emails including links to news – and fake news – sites, social media updates, and links to entertainment sites such as Netflix. These are often missed out of organziations’ phishing simulation exercises as they are consumer scams.
The report shows that the most commonly reported phishing emails are those that contain malicious URLS, with the biggest entertainment related scams were holiday eCard alerts. Employers should note that these consumer-focused phishing scams are often sent to work email addresses.
The report shows that increased training and raised awareness of the threat from phishing is helping organizations to effectively mitigate the threat from phishing. Susceptibility rates are on the decline and repeated phishing simulation exercises have helped employees to improve their phishing email identification skills. For the third consecutive year, PhishMe customers have experienced a fall in susceptibility rates, with this year seeing a further 5% reduction. Organizational susceptibility has fallen from 14.1% in 2015 to 10.8% in 2017.
Reporting rates are also up, showing that PhishMe customers are developing a security culture, where phishing emails are reported allowing prompt action to be taken by security teams to mitigate new threats. There has been a 6% increase in reporting, thanks to the one-click PhishMe Reporter, which makes reporting emails a quick and easy process.
Reducing susceptibility is vital, as phishers have been increasing their efforts. This year has seen a 65% increase in worldwide phishing attacks, showing phishing continues to be the number one cyberthreat faced by organizations.
“Phishing attacks have the ability to skirt technology and target human emotion, making it imperative that organizations empower their employees to be part of the solution. Our analysis continues to show that conditioning employees to recognize and report on phishing attempts lowers susceptibility, which is proof that progressive anti-phishing programs keep organizations safer,” said Aaron Higbee, CTO and co-founder at PhishMe.