Men fishing in sunset and relaxing showing phishing test

One in Five Employees Fail the Gone Phishin’ Test as Security Hygiene Remains a Chronic Problem

Some tangible progress has been made in recent years in the area of employee security education, but some analysts believe the problem is an intractable and permanent one at some level. The latest “Gone Phishin'” event, an annual phishing test conducted by Canada’s Terranova Security, adds more support to that view.

About 20% of the unwitting test subjects were compromised by a simulated phishing email; almost 15% did not recognize a malicious download site after clicking through and proceeded to initiate a download of a tainted file. Larger organizations, or those that would be expected to have more robust security training programs, tended to fare the worst.

Phishing test has a 19.8% email compromise rate; 14.4% click through malicious downloads

Terranova holds the “Gone Phishing Tournament” every year as part of its annual Phishing Benchmark Global Report, a study that examines the security posture of thousands of organizations in 98 different countries (sending out about a million simulated phishing emails in 20 different languages).

The 2021 phishing test shows a bit of backsliding from 2020; the amount of recipients duped by a malicious email stayed roughly the same, but there was a notable increase in willingness to download files from sketchy simulated attack websites among those that clicked through the links.

The 19.8% of recipients that clicked through the phishing test’s email link would not necessarily have been compromised, but the 14.4% that continued on from there would have downloaded malware in a comparable real-world attack. The study results thus indicate that over 70% of employees that are duped by an initial phishing link will fail to identify the site they are linked to as a security risk and can be expected to install malware.

Some regional differences were noted, but most stayed in the rate of 10% to 15% of employees duped into downloading malware. North American organizations fared the best in the phishing test, followed by Europe; the Asia Pacific region fared worst. But while North America was the most cautious in the aggregate, the country by country breakdown showed some similar differences. United States participants did very well with a 8.7% click rate and a 40.9% click-to-download rate, while their neighbors to the north in Canada were more likely to be duped with a 14.1% click rate and a 59.8% click-to-download rate.

There were some sharper differences based on organization and recipient type. Surprisingly, information technology employees had the highest rate of going all the way through and downloading a simulated malware file (84% of those that clicked on the initial phishing link). IT was also among the top sectors for initial click-through along with finance, education and insurance. Retail, health care and transportation all had significantly lower rates than the other industries.

Test uses authentic-looking email templates provided by Microsoft

To be fair to the participants, they were provided with realistic-looking emails (shaped by a Microsoft security team using the company’s SharePoint interface) that would plausibly reflect something they could expect to receive as a part of their daily work life. There was a strong focus on crafting messages that were not “generic,” such as the bogus offers for free gift cards that are commonly seen in spam folders and as responses to social media posts.

Organizations volunteered for the phishing test, but the individual employees may not have been aware that a simulated email was coming. The event is always conducted in October as part of National Cybersecurity Awareness Month.

While this year’s phishing test focused on convincing a target to visit an attack site and download a file, the 2020 edition measured their willingness to enter their username and password when prompted as well. That test saw about 20% click through links and 13% submit passwords, with about 66% of those that clicked through continuing on to give up their login credentials.

Is phishing training working?

Corporate phishing training has become a contentious topic, with experts sharply divided between seeing it as a necessity and those that see it as only making small improvements at best on a problem that is rooted in human nature.

There is a gamut of phishing tests out there that shows different results, everything from about what this particular test demonstrates (an almost inevitable compromise rate of somewhere near 15 to 20%) to some that have shown reductions down to as little as 3% over time. Regardless of the side one takes in the debate, one thing that seems to be clear at this point is that phishing training provides only a temporary boost of about several months before employees that are inclined to bad security hygiene habits lapse back into them.

Ultimately, the percentages of these phishing tests may not really matter; it takes as little as one compromised employee to create an opening on a network that leads to ransomware installation or theft of sensitive information. Some security experts thus take the position that the only sound approach is to keep phishing emails from reaching employee inboxes in the first place, possibly with an AI-driven filtering solution.

 

Senior Correspondent at CPO Magazine