Despite efforts CISOs are putting into security awareness training, many employees still fail to spot clues in phishing messages, according to the results of the latest edition of a global test by a Canadian firm.
Just under 20 per cent of those who received a phishing simulation email in October during Terranova Security’s annual Gone Phishing Tournament clicked on the included link, the company said Tuesday.
That click rate in this year’s test, Terranova adds, is the same as last year’s.
Of those who clicked on the link this year, 14.4 per cent failed to recognize the website they went to was a phony site and clicked a link to download a “malicious” file. The click rate on that test was a notable increase from the 2020 event.
“When you consider that the Gone Phishing Tournament takes place during Cybersecurity Awareness Month every year, it’s clear that there’s room for improvement across the board,” said Terranova Security chief executive officer Theo Zafirakos in a statement accompanying the report. “Establishing, maintaining, and optimizing a training program that incorporates continuous awareness activities and phishing simulations is an essential part of strong information security … Organizations must take this reality seriously and implement strong awareness training initiatives.”
In an interview Tuesday, he also said the results weren’t surprising because cyber threats are increasing in complexity. “Based on the relevance of the [email test] scenario we were expecting to have a high amount of click-through.”
The template’s scenario sent to recipients was selected by Terranova Security to measure several end-user phishing behaviors, including clicking on a link in the body of a phishing email and delivering malware in a downloadable file through a phishing webpage. Organizations let Terranova know they wanted to participate and sent the company a list of email addresses of employees.
The test emails and webpage spoofed the Microsoft SharePoint interface to look authentic. The email message included instructions on how to download a file, which further enticed the end-user to complete the action once they landed on the simulation’s webpage.
Close to 1 million emails were sent to end-users over a two-week period, in 20 languages.
To take advantage of the education opportunity, those who clicked on the link to download the file were immediately redirected to a phishing simulation feedback page that highlighted the warning signs they missed and tips on what to watch for.
Sectors whose employees had the highest click rates were education, finance and insurance, and information and technology (between 27.6 and 25.6 per cent). By contrast sectors whose employees had the lowest were healthcare (5.6 per cent), transportation and retail.
Organizations with more than 3,000 employees performed the worst of all size segments, posting an 18 per cent email link click rate and a 12 per cent document download rate.
Asked if the results are tremendously disappointing given the amount of awareness training organizations say they give employees, Zafirakos said it may be that not every participating organization had an awareness program. “Even if they had one in place this [report] gives them the opportunity to potentially do some updates either in the frequency or the type of activities they do. Having something in place doesn’t necessarily mean it works.”
Organizations either have to put an awareness training program in place, he said, or improve the one they have. “Are you providing just in time feedback to users, are you providing relevant content in a [email] simulation? The scenario used in the [test] template used was relevant in the current work environment, which is online sharing and collaboration … that’s why they had a lot of clickers.”
“Organizations have to make sure that when they are using simulations they’re not only used for measurement. They are made to be a learning tool. Don’t try to aim for a low [click-through] score in your simulations. Use complicated, difficult-to-detect scenarios so users have the opportunity to be exposed to threats in a safe environment.
“Also, users are not exposed to complicated phishing attacks on a daily basis. The most common ones they see daily are basic ones — ‘Here’s a free gift card.’ They aren’t going to click on that. The more advanced and targeted and dangerous phishing attacks come only once in a while. So users have to be prepared at all times for something that isn’t generic.”
Employees also have to be carefully trained on what to look for in a phishing email or text or on a phony website, he added. “We have to be more specific when we tell them the behaviours we want them to adopt. We have to stop being generic.”