Phishing simulations: employees not vigilant enough

July 27, 2022
| No comments
Phishing simulations: employees not vigilant enough

Share post

Employees are not vigilant enough when receiving emails. A current Kaspersky analysis of phishing simulations in companies [1] shows that many employees usually do not notice hidden pitfalls in company matters and notifications about alleged delivery problems in e-mails.

Almost one in five clicked on the link in the email templates that imitated this type of phishing attack. Other common phishing e-mails, which announce that one's own computer has been hacked or promise a profit, are hardly successful with a click conversion of one to two percent.

9 out of 10 attacks start via phishing

It is estimated that nine out of ten cyberattacks (91 percent) start with a phishing email; Phishing techniques are implicated in two-thirds of all successful data breaches (32 percent) [2].

To gain further insight into this threat, Kaspersky experts collected and analyzed data from a phishing simulator that users voluntarily provided. Integrated into the Kaspersky Security Awareness Platform [3], this tool helps organizations verify that employees can spot a phishing email without compromising corporate data. An administrator selects from a set of templates that mimic common phishing scenarios or creates a custom template, then sends it to the selected group of employees without warning and tracks the results. A large number of users clicking on the link shows that additional cybersecurity training is required.

The five most effective subject lines in phishing emails

  • "Failed delivery attempt - Unfortunately our courier was unable to deliver your item" supposedly from a postal delivery service: click conversion of 18,5 percent
  • "E-mails were not delivered because the mail server was overloaded" Supposedly from the Google support team: click conversion of 18 percent
  • "Online employee survey: What would you improve about working in the company?" Supposedly from the HR department: click conversion of 18 percent
  • "Reminder: New Company-wide Dress Code" Supposedly from the HR department: click conversion of 17,5 percent
  • "Attention to all employees: Evacuation plan for the new building" supposedly from the security department: click conversion of 16 percent

More effective hooks for phishing emails

  • Reservation confirmations from a booking service (11 percent)
  • Order placement notifications (11 percent)
  • Announcing an IKEA competition (10 percent)

E-mails that threaten the recipient or promise immediate benefits appear to be less "successful". A template with the subject “I hacked your computer and I know your search history” only clicked two percent of users, offers for free Netflix and $1.000 only one percent.

“The phishing simulation is one of the easiest ways to check employees' cyber resilience and evaluate the effectiveness of their cybersecurity training. However, there are important aspects that must be taken into account when implementing it in order for it to be really effective,” explains Christian Milde, Managing Director Central Europe at Kaspersky. "Since cyber criminals are constantly adapting their methods, the simulation must reflect current social engineering trends in addition to common cybercrime scenarios. It is crucial that simulated attacks are carried out regularly and supplemented with appropriate training. In this way, users develop a strong awareness that enables them to avoid being taken in by targeted attacks or spear phishing.”

Kaspersky recommendations for protection against phishing attacks

  • Regularly inform employees about the basic hallmarks of phishing emails [4], such as an alarming subject line, errors and typos, conflicting sender addresses, and suspicious links.
  • If there is any doubt about the email received, the format of the attachments and the accuracy of the link should be checked before clicking. Hovering over these items with the mouse cursor can ensure that the address looks authentic and that the attached files are not in an executable format.
  • Phishing attacks should always be reported to the IT security department. This allows the cybersecurity team to reconfigure the anti-spam policies and prevent an incident.
  • Employees should be regularly trained in cyber security. Training such as Kaspersky Security Awareness Training [5] aims to change learners' behavior and teach them how to deal with threats.
  • Because phishing attempts can be confusing and there is no guarantee to avoid all unintentional clicks, all devices should be protected with a reliable solution like Kaspersky Small Office Security [6]. Corresponding solutions offer anti-spam functions, track suspicious behavior and create backups in case of ransomware attacks.
[1] The statistics are based on the results of 29.597 employees from 100 countries. Not all available phishing templates were sent to every employee. The data presented includes templates sent to more than 100 users. The phishing simulation campaigns ran between January 2021 and May 2022.
[2] https://www2.deloitte.com/my/en/pages/risk/articles/91-percent-of-all-cyber-attacks-begin-with-a-phishing-email-to-an-unexpected-victim.html
[3] https://www.kaspersky.de/small-to-medium-business-security/security-awareness-platform
[4] https://www.kaspersky.de/blog/how-to-protect-yourself-from-phishing/42317/
[5] https://www.kaspersky.de/enterprise-security/security-awareness
[6] https://www.kaspersky.de/small-business-security/small-office-security

 

More at Kaspersky.com

 

Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

IT security: NIS-2 makes it a top priority

Only in a quarter of German companies do management take responsibility for IT security. Especially in smaller companies ➡ Read more

Cyber ​​attacks increase by 104 percent in 2023

A cybersecurity company has taken a look at last year's threat landscape. The results provide crucial insights into ➡ Read more

Mobile spyware poses a threat to businesses

More and more people are using mobile devices both in everyday life and in companies. This also reduces the risk of “mobile ➡ Read more

Crowdsourced security pinpoints many vulnerabilities

Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more

Digital Security: Consumers trust banks the most

A digital trust survey showed that banks, healthcare and government are the most trusted by consumers. The media- ➡ Read more

Darknet job exchange: Hackers are looking for renegade insiders

The Darknet is not only an exchange for illegal goods, but also a place where hackers look for new accomplices ➡ Read more

Solar energy systems – how safe are they?

A study examined the IT security of solar energy systems. Problems include a lack of encryption during data transfer, standard passwords and insecure firmware updates. trend ➡ Read more

Kaspersky, Stories
, , , , ,