When it comes to susceptibility to phishing lures, business-context simulations are still the most successful: Office communications and finance-related themes generated the highest susceptibility rates, with 19.9% and 18.6% respectively, driven by sentiments of curiosity, fear and urgency.
The PhishMe research teams analyzed data compiled from over 40 million phishing simulations performed between January 2015 and July 2016.
In looking at particular types of phishing email type, the “file from scanner” scenario generated the highest number of response rates in the transportation sector at 49%, followed by healthcare at 31% and insurance at 30%. On the other hand, the non-profit sector scored the lowest response rate, at a 5%.
“Understanding what motivates your employees to open or fall for a phish is a critical step in building their resiliency to attacks and enabling faster incident response,” said Aaron Higbee, co-founder and CTO at PhishMe. “At its core, a phishing simulation program allows organizations to assess, measure, educate and empower all employees about phishing threats while creating a wider net of human sensors to help reduce the risk of a full-blown data breach.”
The good news is that reporting outweighs susceptibility to phishing: Over a relatively short amount of time, reporting rates bypass susceptibility rates when at least 80% of the company has been conditioned to identify and report suspicious emails.
“Our analysis shows that continued exposure to simulations lowers the chance of an employee falling for a phishing email—the key being consistent exposure,” said Higbee. “Once employees are conditioned to identify phishing attacks, our data shows that reporting them to the IT Security team starts to outweigh organizational susceptibility. It only takes one employee to report a targeted attack to give incident response teams a chance to stop a potential data breach.”
Active reporting can significantly decrease breach detection times, too: Samples analyzed show reporting of suspicious emails reduced security team response time to approximately 1.2 hours—a significant improvement over the current industry average of 146 days to detect a security breach.