These 7 Big Factors Complicate a Company’s Phishing Risk Calculus

When looking at the cyber attack risks that businesses face today, phishing tops the chart. It’s a problem that also just keeps getting worse – 84% of businesses in a new study said that they were the victims of a successful phishing attack in 2021, a 15% increase over the same 12-month period in 2020.  Phishing attacks are also growing more sophisticated thanks in part to abundant dark web data that helps the bad guys shape effective campaigns.  In this flood of phishing, it’s critical that employees are aware of phishing threats and able to make the right choices when faced with a suspicious email.  Unfortunately, all too often that isn’t the case, leading to a cybersecurity nightmare for their employers.


These 7 Factors Have a Major Impact on Phishing-Related Security 

An estimated 65% of insider threat incidents are caused by employee actions around phishing.  Understanding the risk factors that can drive good and bad employee decision-making around phishing can help organizations gain a clear picture of their phishing risk.

1. The Permanent X-Factor: Human Error 

Human error is the culprit in an estimated 90% of security breaches according to IBM’s X-Force Threat Intelligence Index.  Those errors can range from sending a coworker a file they’re not authorized to see to downloading a malicious attachment from a phishing email.  One-fifth of employees admit to making mistakes like falling for phishing tricks that caused them to interact with malicious messages at work – and these seven risk factors can impact employee behavior around phishing.

2. The Lure of Social Engineering Traps 

Just like any other business, cybercriminal gangs are always looking for ways to maximize efficiency, and phishing fits the bill.  It’s the cheapest, easiest, and most effective way to penetrate a company’s security.  Of course, it’s also something that evolves just like any other business process, with changing techniques, increasing sophistication, and new traps making it hard for companies to keep up.  It’s also hard for everyone else to keep up – 97% of employees are unable to spot a sophisticated phishing email.  Clicking on a phishing email is the most likely way that an employee will cause a security breach. In a Stanford University study, researchers determined:

  • One in four employees (25%) said they have clicked on a phishing email at work
  • Nearly 45% of respondents cited distraction as the top reason for falling for a phishing scam
  • Around 50% of employees are sure that they have made an error that led to a security incident

3. Careless Handling of Attachments 

The bane of IT teams, employees are regularly faced with convincing phishing schemes that utilize attachments.  An estimated 48% of malicious email attachments are disguised as a routine file, running the gamut from a termination notice to a list of charitable resources.  This was recently illustrated by a flood of phishing around charitable relief for Ukrainians in the wake of the Russian invasion.  Microsoft Office formats like Word, PowerPoint, and Excel are popular file extensions for cybercriminals to use when transmitting malware via email, accounting for 38% of phishing attacks. The next most popular delivery method: archived files such as .zip and .jar, which account for about 37% of malicious transmissions.

4. Irregular or Non-Existent Security Awareness Training 

More than half of businesses do not engage in regular security awareness training, and that’s a huge mistake that costs them in the end.  In a UK study on companies running phishing simulations, researchers discovered that 40 – 60% of untrained employees are likely to open malicious links or attachments.  After about 6 months of training, that number dropped to 20% - 25%.  After 3 to 6 months more training, the percentage of employees who opened phishing messages plummeted to only 10% to 18%. Accenture places the ideal number of training courses for employees each year at 11, or just a little under one per month.

Far too many employees are not Judicious about clicking links in email messages.  CyberNews reports that 1 in 3 employees are likely to click the links in phishing emails, and 1 in 8 employees are likely to share information requested in a phishing email.  Even more alarmingly, 67% of the employees tested in a phishing simulation who clicked through to the dummy malicious website submitted their login credentials, up from a scant 2% in 2019.

  • In a phishing simulation, users in North America struggled the most, posting a 25.5% click rate and an 18% overall credential submission rate.
  • This means that a little over 7 out of every 10 clickers willingly compromised their logins.
  • Users in Europe exhibited lower click and submission rates of 17% and 11%, respectively.

6. A Weak Security Culture 

The kind of negligence that helps mistakes flourish can arise from a company having a bad security culture.  Security is everyone’s job, but not everyone understands that. 45% of respondents in a HIPAA Journal survey said that they don’t need to worry about cybersecurity safeguards because they don’t work in the IT department.  That’s a disaster waiting to happen.  That ignorance can be compounded by leadership attitudes toward security.  In a CNBC survey, 56% of SMB owners said they are “not very concerned” about being the victim of a cyberattack in the next 12 months, and 24% said they were “not concerned at all.”

7. Fear of Repercussions  

No company benefits when employees are kept in the dark about security or made to think of it as a big, complicated, dangerous bugbear.  Besides, every tech team would rather learn about a security incident when it’s just a little difficulty, not when it has snowballed into a giant disaster.  But far too often, employees behave dangerously because they’re afraid of asking for help or clarification, and that’s no help to anyone.

  • Just under 30% of employees fail to report cybersecurity mistakes out of fear.
  • More than 40% of employees don’t report potential phishing out of fear of getting in trouble.
  • About 45% of employees click emails they consider to be suspicious “just in case it’s important.”

Build Strong Defenses Against Risks Like These

We can offer you several solutions that can help organizations lower their risk and build strong defenses against today’s biggest cybercrime risks by educating employees and closing security gaps, setting them up for security success.

Security and Compliance Awareness Training   

BullPhish ID is the ideal affordable security and compliance awareness training solution for companies of any size.

  • Gain access to a huge library of security and compliance training videos in 8 languages with quizzes to measure retention – and 4 new video lessons are added a month
  • Run phishing simulations easily using plug-and-play or customizable phishing training campaign kits with new kits released regularly
  • Automate the delivery of training and the generation and delivery of reports to stakeholders

Dark Web Monitoring 

Dark Web ID makes it easy for companies to reduce their dark web credential compromise risk.

  • Uncover all of an organization’s exposed credentials in minutes
  • Gain peace of mind against credential exposure with 24/7/365 monitoring using real-time, analyst validated data
  • Enjoy fast alerts to compromises of business and personal credentials, including domains, IP addresses, and email addresses

Be sure to contact us to discuss these solutions and more.