A large number of employees are still falling victim to phishing scams, according to the results of a global test conducted by a Canada-based firm.
Seven percent of all end users participating in the 2022 Gone Fishing Tournament run by Quebec Terranova Security Clicked on a link in a phishing email. Three percent of those — 44 percent of clickers — failed to recognize the warning signs on the simulation’s webpage and proceeded to enter their credentials at the malicious site.
“To put these numbers into perspective,” said Theo Zafirakos, the company’s chief information security officer (CISO), “if an enterprise-level organization of 10,000 employees was targeted with a phishing scam, as in the simulation 700 employees would have clicked on the phishing link and over 300 of those clickers would have entered their password, which could be used to compromise systems and sensitive information. Many business transactions- Given our reliance on online systems and data to conduct transactions and services, this reality is worrying.
Terranova Security is part of Forterra LLC of Minneapolis. The simulation, which was carried out in October, was co-sponsored by Microsoft. The annual test, which has a different format each year, saw more than 250 organizations in several countries agree to send phishing emails to their employees. A total of 12 lakh messages were sent in 21 languages.
Have reports with full test results available here, Registration is required.
Although the 2022 Gone Fishing Tournament simulation was deemed easier than in previous years, the click rate and web form submission rate should still be considered high as a result, Terranova said in a news release.
The three percent failure rate was a significant improvement compared to 2021 and 2020 results, where 14.4 percent and 13.4 percent of end users, respectively, would have completed an action that compromised sensitive information in the simulation.
“These findings underscore why creating an engaging security awareness training program
which takes advantage of hands-on, practical exercises such as phishing simulations,” the report says. “Technical infrastructure such as firewalls, endpoint protection, and even phishing report buttons in corporate email clients cannot guarantee information security “
Microsoft supplied this year’s email and webpage templates designed to mimic a real-world scenario many employees experience: a gift card scam. The scenarios selected by the Terranova Security Leadership Team measured several end-user behaviors, such as clicking a link in the body of a phishing email and entering credentials into a form on a phishing webpage.
If users clicked on a link in the phishing simulation’s email, they were redirected to a landing page prompting them to enter credentials that would have been compromised if the simulation were an actual attack . If users complete this second step, they are brought to a phishing simulation feedback page that highlights the red flags they missed and best practices they should follow.
