A significant number of employees are still falling for phishing scams, according to the results of a global test by a Canadian-based firm.
Seven percent of all end users who participated in the 2022 Gone Phishing Tournament run by Quebec’s Terranova Security clicked on the link in the phishing email. Three per cent of them — 44 per cent of clickers — failed to recognize the warning signs on the simulation’s webpage and proceeded to enter their credentials on the malicious site.
“To put these numbers into perspective,” said company chief information security officer (CISO) Theo Zafirakos, “if an enterprise-level organization of 10,000 employees had been targeted with a phishing scam like the one depicted in the simulation, 700 employees would have clicked on the phishing link and over 300 of those clickers would have entered their password, which can be used to compromise systems and sensitive information. Given our reliance on online systems and data to conduct many business transactions and services, this reality is concerning.”
Terranova Security is part of Fortra LLC of Minneapolis. The simulation, which was done in October, was co-sponsored by Microsoft. The annual test, which has a different format every year, saw over 250 organizations in several countries agree to have their employees sent phishing emails. A total of 1.2 million messages were sent in 21 languages.
The report, with full results of the test, is available here. Registration is required.
Though the 2022 Gone Phishing Tournament simulation was deemed easier than in previous years, Terranova said in a news release, the click rate and web form submission rate should still be considered high as a result.
The three per cent failure rate was a significant improvement when compared against results from 2021 and 2020, where 14.4 per cent and 13.4 per cent of end users, respectively, would’ve completed an action that compromised sensitive information in the simulation.
“These findings underscore why building an engaging security awareness training program
that leverages hands-on, practical exercises like phishing simulations is essential,” says the report. “Technical infrastructure like firewalls, endpoint security, and even phishing report buttons in a corporate email client can’t guarantee information security.”
Microsoft supplied this year’s email and webpage templates, designed to imitate a real-world scenario that many employees experience: a gift card scam. The scenario, selected by the Terranova Security leadership team, measured several end-user behaviors, such as clicking on a link in the body of a phishing email and entering credentials into a form on a phishing webpage.
If users clicked on the link in the phishing simulation’s email, they were redirected to a landing page, which prompted them to enter credentials that, had the simulation been an actual attack, would have been compromised. If users completed this second step, they were brought to a phishing simulation feedback page highlighting the warning signs they missed and the best practices they should follow.