Focus on Phishing: Diving Deep into A Persistent Threat

We wanted to explore the average employee's awareness of phishing as part of our 2018 State of Privacy and Security Awareness Report. Here's what we found.

Our recently released 2018 State of Privacy and Security Awareness Report found that 75% of U.S. employees lack at least some awareness toward threats to cybersecurity and data privacy. As part of this research, we asked a variety of questions to test respondents’ knowledge of phishing emails. To call further attention to this threat, and to recognize National Cybersecurity Awareness Month (NCSAM), we’re presenting the phishing-awareness-specific findings from the report.

The dangers of phishing attacks are difficult to overstate.

According to the 2018 Verizon Enterprises Data Breach Investigations Report, 92% of malware was still delivered by email. Researchers at Symantec have found that the average person gets 16 malicious emails per month. From attacks against hospitals to invade and exploit personal healthcare information, to banks and other financial institutions feeling the pain, no industry is immune to this threat.

Report after report continues to show both the prevalence of this specific form of social engineering and its enduring success.  After all, cybercriminals wouldn’t keep hitting this attack vector if it wasn’t getting them what they want: access to valuable sensitive data through malware intrusion or simply tricking people into sending this information directly.

Our Phishing Findings

With phishing this much of a threat, we wanted to explore the average employee’s ability to identify phishing emails in an every day, office-based scenario.

As part of our 2018 State of Privacy and Security Awareness Report, we asked respondents to mark four example emails as either legitimate or phishing attempts. 14% of employees failed to identify true phishing emails. For the second year in a row, an email purporting to be from a famous investor offering a hot stock tip proved to be the trickiest, with one out of five of respondents failing to report it as phishing.

Unfortunately, the data shows an overall breakdown in the ability to correctly identify email phishing attempts among respondents, this year, compared to those last year. Eight percent of respondents last year showed risky behavior when it came to phishing emails, compared to this year’s 14%.

Broken down by job level, nearly a quarter of respondents who described themselves as management-level or above (23%) showed a lack of awareness of the phishing examples presented, performing far worse than their entry- and mid-level counterparts (11%). Across the industries we analyzed, financial sector employees showed the riskiest behaviors, with a quarter of respondents in this segment lacking the ability to recognize at least one of the four phishing attempts presented. Interestingly, 38% of finance employees marked the sample phishing attempt describing a stock tip from a famous investor as legitimate.

Phishing Knowledge Check

We also asked general knowledge, multiple-choice questions about phishing to dive deeper into the average employee’s knowledge of this most widespread cyberthreat. The questions, answers, and results were as follows:Overall, these questions revealed a reasonable level of knowledge among the average employee represented in the survey, but there were areas where improvements are needed. Some weak spots included:

  • Though the vast majority of respondents overall (81%) correctly chose to report a suspected phishing email to their IT teams, this still leaves 18% who elected to either open an unexpected attachment (10%) or click a link in a suspected phishing email to see where it goes (8%). Either of these actions could compromise a company’s network, leading to leaked sensitive data or malware intrusion.
  • Management and higher performed worse than their entry- and mid-level counterparts when asked what they should do with a suspected phishing email (69% vs. 86% choosing the correct answer). Specifically, nearly one in six management-level respondents (17%) chose to open an unexpected attachment connected to a suspected phishing email.
  • Only 58% of respondents overall could define business email compromise (BEC), suggesting a concerning lack of awareness surrounding this common social engineering tactic.
  • Only 53% of respondents who self-described as management or above correctly identified BEC, faring worse than those in entry- or mid-level positions (59%).
  • Overall, finance employees fared the worst on these questions. Nineteen percent of financial sector employees thought opening an unexpected attachment was an appropriate response to a suspected phishing email, while 16% chose to click a link in such an email to investigate its legitimacy.

Why You Should You Care

Given the ubiquity of phishing emails, any lack of awareness concerning this cyberthreat should be cause for worry. As the authors of the DBIR wrote in their 2018 report (in which 96% of breaches and other incidents were tied to phishing emails), “The vampire only needs one person to let them in.”

In particular, the scourge of BEC– relying on emails spoofing requests by higher-ups to send tax information and other sensitive data– shows no signs of letting up. According to the FBI, BEC-related financial losses have reached $12.5 billion globally. Long story short: suspected phishing emails are nothing to take lightly.

This lack of phishing awareness is troubling for two reasons. One, phishing as a threat is not going away any time soon. Even with new ransomware and malware strands evolving daily, phishing attacks will likely remain the number one way for them to gain access to networks.

Two, susceptibility to phishing can represent a fundamental lack of understanding when it comes to security best practices in other areas. Think of it as a symptom of a larger problem, just as coughing, sneezing, and a headache are often symptoms of a cold. If an employee falls for a phishy email, it’s not unreasonable to suspect that that employee may not take the safest steps when it comes to social media use, for example, or know the importance of using a VPN while working remotely.

In other words: Phishing could be just the start. This is why security awareness education covering a wide variety of topics is so important. We designed our larger State of Privacy and Security Awareness survey and report to examine the elements the average employee should at least have a working knowledge of. Ideally, the topics we covered in our report should be the elements of a fully-fledged security awareness program. The breath of cyberthreats is wide and only getting bigger. Your employee awareness efforts need to keep up.

The training content found within our LearningLAB platform has the variety you need to keep your employees informed of most any cyber risk they’d be faced with. Check out our course catalog or get in touch to see a demo.

Share this Post

Download the Full Report

Get Your Copy