Large enterprises with at least 10,000 employees are the most susceptible to phishing schemes that promise a gift despite having access to more cybersecurity resources than smaller businesses, according to a new report on phishing link click rates from Terranova Security, a subsidiary of Fortra (previously HelpSystems).
The report is based on the 2022 Gone Phishing Tournament hosted by Terranova Security and co-sponsored by Microsoft, which evaluated how employees respond to phishing attacks. The 2022 Phishing Benchmark Global Report finds that all organizations need to continue to implement security awareness and training programs to educate end users on phishing attacks.
Over 250 organizations and 1.2 million users participated in the tournament, making it one of the largest phishing tournaments of its kind and a real-life example of how successful phishing attacks still are today.
According to the report, 7% of all end users at large enterprises who participated in the 2022 phishing simulation clicked on the link in the phishing email, and 3% failed to recognize the warning signs of the simulation’s webpage and entered their credentials on the malicious page.
While those phishing click rate totals are seemingly low, it only takes one privileged end user to click on a malicious link or enter their credentials for attackers to find their way into an organization’s network.
Additionally, this year’s form completion total is concerning, as 44% of those who clicked on the phishing simulation link eventually completed the web form on the subsequent webpage and submitted their credentials.
To put those numbers in perspective, an enterprise-level organization with 10,000 employees targeted with a phishing attack would have seen 700 of their employees lick n the phishing link, and over 300 of those would have entered their credentials.
“Given our reliance on online systems and data to conduct many business transactions and services, this is really concerning,” says Theo Zafirakos, chief information security officer at Terranova Security.
The report suggested that larger organizations need to ensure that end users are completing their training and awareness programs, as they fared the worst. In fact, phishing success rates consistently increase along with the size of the organization. Phishing click rates at organizations with under 100 employees was 3.6%, 4.9% at organizations with 100 to 499 employees, 5.6% at organizations with 500 to 2,999 employees and 6.3% at organizations with 3,000 to 9,000 employees.
When separated by industry, nonprofit, education, manufacturing, and food and agriculture had the worst phishing click rates, with all scoring over 6%. Meanwhile, public sector, energy and finance industries kept their phishing click rates under 3.5%
However, this report indicates that end users are becoming more aware, as only 3% of all recipients failed to recognize the phishing webpage and submitted their credentials, which is down from 14.4% in 2021.
“The results from this year’s Gone Phishing Tournament underscore the importance of taking a human-centric approach to security awareness training and content,” says Brand Koeller, principal product manager of Microsoft Defender, in a statement. “Technical safeguards alone can’t guarantee information security. Addressing the human risk factor should be a top priority for all organizations.”
