Phishing emails: More than 25% of American workers fall for them

A new global report on phishing attempts shows how the workforce has responded to security threats since COVID-19, and the new vulnerabilities that have resulted from the remote work landscape.

Email / envelope with black document and skull icon. Virus, malware, email fraud, e-mail spam, phishing scam, hacker attack concept. Vector illustration

Image: Vladimir Obradovic, Getty Images/iStockphoto

Since COVID-19 arrived on the scene in the spring of 2020—a global health crisis that has upended the way we think of life and work—employers have been forced to reckon with the idea of a "normal" workplace, and, whenever possible, have moved work to the digital realm.

SEE: Identity theft protection policy (TechRepublic Premium)

Terranova Security's new "2020 Gone Phishing Tournament," part of its Phishing Benchmark Global Report, looks at the impact of phishing attacks on the remote workforce, citing an increase in phishing simulation clicks, as well as compromised data. Because of so many new home office environments, new ways of collaborating, and rapidly evolving guidelines for security, threats like phishing campaigns, malicious websites, and fake apps have proliferated during the early days of the virus. In fact, in the three months of 2020, according to the report, remote workers were hit with 30,000 more "suspicious messages," and a 667% increase in COVID-related spear phishing. 

The new "Gone Phishing Tournament," part of National Cybersecurity Awareness Month, was held over 11 days in October 2020, and included participants from 98 countries. The testing was conducted in 12 languages. Participants were presented with a real-world scenario, courtesy of Microsoft, that simulated phishing emails and web pages. The test detected whether participants clicked suspicious links or entered information in a webpage form plate.

The result is a "substantial year-over-year increase in participating end user click rates," the report said, as well as a rise in participants who were fooled by the phishing simulation, and would have compromised their login data.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

"This year's report illustrates the growing need for security awareness training initiatives that utilize real-world phishing simulations as a practical educational tool," said author and Terranova Security CEO Lise Lapointe. "Organizations must take these phishing benchmarking results seriously and take the necessary steps to ensure every user has the knowledge needed to safeguard against the latest and most complex cyber threats."

Participants fared worse than in 2019—this year, nearly 20% quickly clicked phishing links, versus 11% previously. Also, many more (67%) of those who clicked used their login credentials, whereas only 2% did so in 2019. Performance varied by industry—the public sector fared worse, with a 28.4% click rate and 24.7% submission rate, whereas education and finance and insurance came in at 11.3% and 14.2%.

The other key takeaway is that the North American participants performed the most poorly on the test, resulting in a 25.5% click rate and 18% credential submission rate. European participants, on the other hand, had rates of 17% and 11%.

"The results are a clear indication that security leaders need to do more, especially when you consider that the event took place during National Cyber Security Awareness Month," added Theo Zafirakos, CISO at Terranova Security, in the press release. "It's a time of year when learning and communication opportunities around phishing tend to be heightened, which means the results showcase the importance of implementing or refining continuous awareness initiatives."

Also see