To click or not to click

Issue 1 2022 News

The study, 'To click or not to click: What we learned from phishing 80 000 people', which included 82 402 participants, tested how employees from four different organisations responded to emails that simulated one of four commonly used phishing tactics.

22% of recipients that received an email simulating a human resources announcement about vacation time clicked, making emails that mimic those sent by HR the most frequent source of clicks in the study.

An email asking the recipient to help with an invoice (referred to as CEO fraud in the report) was the second most frequently engaged with email type, receiving clicks from 16% of recipients.

Document share (notifications from a document hosting service) and service issue notification (messages from an online service) emails received clicks from 7% and 6% of recipients, making them the least frequently clicked emails in the study.

However, according to Matthew Connor, F-Secure service delivery manager and lead author of the report, the study’s most notable finding was that people working in ‘technical’ roles seemed equally or even more susceptible to phishing attempts than the general population.

“The privileged access that technical personnel have to an organisation’s infrastructure can lead to them being actively targeted by adversaries, so advanced or even average susceptibility to phishing is a concern,” Connor explained. “Post-study surveys found that these personnel were more aware of previous phishing attempts than others, so we know this is a real threat. The fact that they click as often or more often than others, even with their level of awareness, highlights a significant challenge in the fight against phishing.”

Out of the two organisations studied with personnel working in IT or DevOps, both clicked test emails at rates that were either equal to or higher than other departments in their organisations: 26% from DevOps and 24% from IT compared to 25% for one organisation and 30% from DevOps and 21% from IT compared to 11% for the other organisation.

Furthermore, the study found that these departments were no better at reporting phishing attempts than others. In one organisation, IT and DevOps came third and sixth out of nine departments in terms of reporting. In the other organisation, DevOps was the twelfth best at reporting out of 17 departments, while IT was fifteenth.

The value of a fast, easy-to-use reporting process was also highlighted in the report. In the first minute after the test emails arrived in inboxes, over three times the number of people who reported it as suspicious had clicked. This number levelled out at around five minutes and stayed consistent after that.

And while reporting became more common as time went on, the different processes at different organisations played a key role. 47% of participants from an organisation that provided all employees with a dedicated button to flag suspicious emails used it during the study. Only 13% and 12% of participants from two other organisations reported their test emails (the remaining organisation did not provide data on reporting).


Riaan Naude.

According to F-Secure director of consulting, Riaan Naude, the patterns in report and click rates identified by the study highlights a practical opportunity for organisations to mobilise employees in a collective effort to protect themselves against phishing.

“The evidence in the study clearly points to fast, painless reporting processes as common ground where security personnel and other teams can work together to improve an organisation’s resilience against phishing. Getting this right means that an attack can be detected and prevented earlier, as security teams may only have a few precious minutes to mitigate a potential compromise,” said Naude.

Read the full report at https://www.f-secure.com/content/dam/press/en/media-library/reports/to-click-or-not-to-click.pdf




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Spend on cloud to accelerate across Africa in 2023
News
More than two-thirds of companies using cloud computing across major African markets plan to increase their spending on cloud services in 2023.

Read more...
ChatGPT’s impacts will be social, not technical
News
ChatGPT is truly a remarkable achievement, an artificial intelligence (AI) that you can have a conversation with and ask to do everything from writing essays to coding computer programs.

Read more...
Artificial intelligence in Africa: levelling the narrative
News
While AI can benefit multiple industries, in Africa the key sectors that stand to gain are financial services (specifically fintech) and agriculture.

Read more...
Improving data security for a hybrid society
News
Researchers from Tokyo University of Science develop a method that can perform computations with encrypted data faster and at a lower cost than conventional methods, while also improving security.

Read more...
Cybersecurity in 2023: The latest trends and developments
News
In 2023, experts predict that several trends will shape the cybersecurity landscape, including the growing use of artificial intelligence (AI), the increasing focus on the Internet of Things (IoT), and the rise of quantum computing.

Read more...
SAN market set for growth
Technews Publishing News IT infrastructure
Storage-area network (SAN) market to hit US$ 26,86 billion in revenue by the end of 2029 due to factors like widespread adoption of Hybrid SAN-NAS solutions.

Read more...
Enterprise threats in 2023
News Cyber Security
Large businesses and government structures should prepare for cybercriminals using media to blackmail organisations, reporting alleged data leaks, and purchasing initial access to previously compromised companies on the darknet.

Read more...
Trends in the proptech industry for 2023
News
By mixing real estate with technology to optimise industries, create new ones, and generate efficiencies or capabilities that improve revenue generation, something as fundamental as the concept of parking has been turned on its head.

Read more...
31 percent of all IoT SIMs managed with third-party IoT CMPs
News Integrated Solutions
Berg Insight recently released new findings about the market for IoT connectivity management platforms (CMPs), a standard component in the value proposition from mobile operators and IoT MVNOs around the world.

Read more...
Off-highway vehicle telematics systems
News
The installed base of off-highway vehicle telematics systems to reach 12.2 million units worldwide by 2026, says Berg Insight.

Read more...