23% of employees open phishing emails and input data when presented with a form. It means that they are likely to expose their organisation to a cyberattack resulting from a phishing attempt. That is the stark warning from cybersecurity training company Phished in its latest report (registration required).
Additionally, 53% of employees opened phishing messages, and 7% downloaded and opened attachments. Only 7% reported the simulation to their IT department.
Arnout Van de Meulebroucke, CEO of Phished, said, “Although these figures already point to a systematic problem among the working population, perhaps most concerning is the fact that no less than 7% of all employees open a suspicious email attachment. While phishing – usually – requires an extra step before the real damage is done, a malicious attachment can have serious consequences immediately.”
The company sent more than 100 million phishing simulations to hundreds of thousands of recipients worldwide. Those simulations were sent as part of an agreement between Phished and its customers.
What phishing messages did people fall for?
Nobody will be surprised that anything related to COVID-19 was the most successful topic. Next up were emails about Microsoft Office, login prompts from Gmail and a range of other office products. These were followed by emails about passwords, VPNs and IT support.
Two subjects stand out for their lack of success. The first is spear phishing. It accounted for less than 40% of the successful attacks than COVID-19 related attacks. Even more surprisingly, was that finance-related attempts came in last place.
The report does not provide detail on the types of messages with attachments. It would be useful to know which subject lines persuaded people to download and open attachments. Those emails, in particular, often contain malicious payloads. They are key topic areas for businesses to educate users about.
Interestingly, the report also calls out the risk of working at home and the use of mobile devices. It states, “The shift to home working has created greater risk, with many employees using their smartphones to open emails. Smartphones generally make it more difficult to recognise the origin of a potential email and mean employees are significantly more susceptible to phishing.”
What can we expect in 2022?
Unfortunately, looking forward to 2022, Phished does not see things getting any better for organisations. It sees several trends that will continue to impact them. COVID related emails will continue as the Omicron variant spreads and governments continue to push out more information around vaccinations.
QR codes are a form of attack that has been around for several years. With the pandemic, people have been using them more and more. They are used to check in to venues such as pubs and even to order test kits. However, some criminals create their posters with fake QR codes on them. These are used to trick unsuspecting users into visiting dodgy websites that then grab their data.
A form of attack that people may not be aware of is calendar invitation fraud. It has been on the rise, especially over the last two years. The cybercriminal sends an email with an invite to a meeting. When users click on the meeting, they are asked for their business credentials. People willingly enter these only to get a note saying the meeting has been cancelled or the URL is wrong. Meanwhile, their details have been captured for sale to other cybercriminals.
Enterprise Times: What does this mean
The depressing news from this report is that the most successful phishing attacks are simply variations of older campaigns. It shows that training is failing, and employees need to be more aware. It also demonstrates the need for better tools at the edge to prevent these emails from getting into inboxes, to begin with.