In the study, white hat hackers at Positive Technologies acted as true hackers and sent three groups of employees forms of phishing emails. One group received emails to a webpage requesting credentials, another received emails with attachment and link to a webpage, the final group received just an attachment.
27% of the first group fell victim to the email and clicked the link 15% of the second group fell victim to an attachment and a link to a website and 7% of the third group fell victim to an email where they were prompted to download a file from the webpage. In this case, nothing happened as the links were safe. However, in a real case, these employees just placed the company at considerable cyber risk.
From the above statistics, it’s clear that each additional action makes a user more suspicious; this is a good sign, because often attachments cause more damage than links, it is still a worrying statistic. However, it reinforces the point that employees are the weakest link within a cybersecurity network.
Yet, it is also important to note that employees are not completely unaware. Emails sent from fake companies only had an 11% success rate. Yet, official looking emails from real companies fooled 33% of employees.
Some of the most successful test emails in this study had a subject line about ‘Firing’, ‘Bonus’ or ‘Wage Increase’. These subject lines prompt an employee to open the email without paying close attention to the file they are asked to download or the link they are opening.
The best way to defend yourself against phishing attacks is to always be alert. Before opening any unknown attachments or links check they are safe. You can do this by scanning attachments with an anti-virus. At the very least, if you’re still not sure about the contents of an email, send it to your IT department, it’s much better to be safe than sorry.
Also, you can read our other blogs on phishing to learn more about past phishing attacks and how to protect yourself;