See What Hooked Employees in Training Sessions from ET&T

Phishing is the scourge of business cybersecurity.  The precursor to many devastating cyberattacks like ransomware, account takeover, and business email compromise, it’s also one of the toughest threats for IT professionals to conquer in an organization.  Employees are notoriously bad at spotting and stopping phishing without consistent security and compliance awareness training, creating security risks that cybercriminals are more than happy to exploit.  Learning more about how phishing has evolved and exactly which phishing tricks employees are likely to fall for can help provide insight into how to make all the right security moves to blunt the impact of phishing.

 

The Influences That Shaped Today’s Email Security Landscape

These 2021 trends underpin the business email security picture right now and lay the foundation for future challenges that organizations will face.

Phishing-Related Cybercrime is Booming

  • Business email compromise losses increased by 28%
  • Ransomware attacks and losses grew by over 50%
  • Social media-related phishing attacks grew by more than 80%
  • Brand impersonation and spoofing was 15 times higher in 2021 than in 2020
  • Total cybercrime losses increased by almost 50%

Phishing paved the way for other damaging cyberattacks

  • An estimated 84% of businesses said they were the victims of a successful phishing attack.
  • About 59% of organizations that fell victim to a phishing attack were then infected with ransomware.
  • Just over 40% of network intrusions in 2021were facilitated by phishing.

 

Untrained employees are a massive security risk because they’re highly likely to fall for the most common cyber threat they’ll face: phishing.  An estimated 97% of users are unable to detect a sophisticated phishing email.  Our award-winning security and compliance awareness training solution BullPhish ID is used by organizations of all sizes in a wide variety of industries.  Analyzing the results of thousands of phishing resistance training sessions and phishing simulations with BullPhish ID illustrates the degree to which phishing is an ongoing challenge to conquer as well as the phishing scenarios in which employees are most likely to take the bait.

2021 BullPhish ID Phishing Resistance Training Totals

  • Total number of training campaigns created – 81,484
  • Total number of phishing simulation emails sent – 2,424,762
  • Total number of clicks on phishing simulation emails – 106,670

Top 3 Security Awareness Training Courses of 2021

  1. Phishing: Introduction to Phishing – 150,163 created trainings
  2. How to Avoid Phishing Scams – 129,666 created trainings
  3. Phishing: The Dangers of Malicious Attachments – 100,265 created trainings

Top Phishing Simulations That Successfully Drew Employee Interaction

  1. Office 365 – Suspicious Login – 10,879 clicked
  2. FedEx – Package Delivery – 6,535 clicked
  3. Google Docs – Invitation to Edit – 4,492 clicked

Top Phishing Simulations That Captured Credentials & Data

  1.  FedEx – Package Delivery – 2,056 captures
  2. Office 365 – Suspicious Login – 1,736 captures
  3. COVID-19: SharePoint Webinar – 1,440 captures

 

Top 10 Industries That Fell for the Bait in Phishing Simulations

Employees in every sector are susceptible to phishing, including IT, the sector that topped the list for failing phishing simulations.  These are the top 10 industries where employees fell for the bait in a phishing simulation and supplied their credentials. The number of failures in each industry studied is included.

  1. High-Tech & IT — 3,755
  2. Medical & Healthcare — 3,504
  3. Other — 4647
  4. Manufacturing — 1,801
  5. Non-Profit Organization — 1,758
  6. Education & Research — 1,522
  7. Finance & Insurance – 1,239
  8. Business & Professional Services – 1,144
  9. Retail & Ecommerce — 1,046
  10. Legal — 704

 

Brand Impersonation is All Too Effective

As you can see from the real phishing simulation data we’ve delivered above, brand impersonation, misrepresentation, or spoofing is a tremendously effective way for the bad guys to get the job done.  The Verizon Data Breach Investigations Report 2021 shows the rapid rise of brand impersonation, called Misrepresentation in this report.  The threat clocked in 15 times higher in 2021 than it did in 2020.  Today’s work circumstances lend themselves well to brand impersonation scams. High email volumes translate into high volumes of phishing messages headed for employee inboxes.  Add the continued reliance on email as remote work continues and the increasing sophistication of phishing messages to the mix and this combination of factors creates the perfect climate for brand impersonation scams to thrive.

Employees encounter brand impersonation frequently – 25% of all branded emails that companies receive are spoofed or brand impersonation attempts.  Traditionally Microsoft holds the top spot on the list of most imitated brands.  But DHL surpassed them at the end of 2021, accounting for almost a quarter of branded phishing attempts.  Microsoft still came in at number two, present in one-fifth of brand impersonation phishing schemes.  Communication juggernaut WhatsApp came in third with Google just on its heels. LinkedIn is a perennial cybercriminal go-to, but Facebook (now going by Meta) has fallen out of fashion.

The 10 Most Impersonated Brands

  1. DHL 23%
  2. Microsoft 20%
  3. WhatsApp 11%
  4. Google 10%
  5. LinkedIn  8%
  6. Amazon  4%
  7. Roblox  3%
  8. FedEx  3%
  9. PayPal  2%
  10. Apple  2%

 

Untrained Employees and Email Are a Recipe for Data Loss

In a recent study, data loss via email was cited as the top data security risk that businesses face today.  Employee negligence and lack of understanding about data security are big contributors to the problem.  Researchers determined that 73% of organizations in the study were concerned that employees do not understand the sensitivity or confidentiality of data they share through email. That lack of understanding is visible across an organization.  Marketing and public relations departments are most likely to put data at risk when using email (61%), closely followed by production/manufacturing (58%) and operations (57%).

Why does this keep happening?  Even knowing about the risk of data loss via email, most organizations do not have adequate training in place to educate employees about data handling and email safety.  The researchers in this study determined that while 61% of the IT leaders surveyed said that their organizations had some kind of security awareness training program in place, only about half of them felt that those programs properly addressed the sensitivity and confidentiality of the data that employees can access or transmit via email.

Security and Compliance Awareness Training Dramatically Reduces Phishing Risk

Did you know that security and compliance awareness training can reduce an organization’s chance of experiencing a cybersecurity incident like phishing by up to 70%?  Training is one of the smartest high ROI technology investments an organization can make.  Be sure to contact an ET&T solutions expert today to schedule a security consultation.

 

 

Be sure to read our latest newsletter here.