Phishing tournament finds employees falling prey to malicious emails

The Gone Phishing Tournament tested how susceptible people are to opening fraudulent emails and entering their login information.

Most of us have digital inboxes stacked to the brim with unread emails and can spend entire days catching up on messages, so it's no surprise that hackers are increasingly using our lack of time against us. In September, the FBI released a report that found victims of phishing or email fraud between 2016 and 2019 lost an estimated $26 billion worldwide, and the numbers continue to rise.   

To prepare organizations for an attack, TerraNova Security held the Gone Phishing Tournament over five days in October, testing people at companies in 76 countries and 27 languages on how likely they were to open a malicious email and enter their information into a dangerous website. 

While the numbers varied based on country and industry, the overall results showed that 11%
of all recipients clicked the phishing link and just 2% of recipients submitted their credentials on the phishing website.

"Employees of organizations participating in the October 2019 Gone Phishing Tournament received emails that simulated real-world known successful phishing attacks. These emails were sent in the employees' native language and used known phishing tactics to measure employee click rate. The goal of this global phishing simulation was to measure and evaluate employee detection rate of phishing," the report said.

"Using the same phishing template localized to employee language and locale, we measured how often employees clicked on the included link and submitted their credentials. The Gone Phishing Tournament revealed that even within organizations that have security awareness training programs in place, employees are still quick to click on emails and submit their credentials," the report said.
 
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)
 
According to the results of the tournament, five major industries had click rates that were higher than the averages. Energy, construction, manufacturing and retail all had higher than normal click rates in addition to enterprises in the public sector. 

Researchers with TerraNova Security posited that these industries suffered the most because they had the least previous exposure to technology challenges and were still in the process of migrating toward fully-digital ecosystems that required a new level of security awareness from everyone in an enterprise. 

Smaller organizations are more likely to suffer from a successful phishing attack more so than larger enterprises that have sophisticated IT departments protecting employees through better, security, security awareness training and phishing simulations. 

Regardless of the security posture of an enterprise, risks of a successful phishing attack are still high because of how many organizations have to deal with smaller suppliers and partners sharing information or systems. 

The study found that participants in North America and South America were more likely than those in any other region to submit their credentials after clicking the malicious link.

Of the organizations that participated in the tournament, just 25% of organizations had only a security awareness training program in place, 40% of enterprises used both a security awareness training and phishing simulation programs while 32% had neither in place.

"It is difficult for people to internalize the impacts of clicking a malicious link or submitting a phishing form. People need first-hand experience of the impacts of clicking links, downloading attachments, providing confidential information, and submitting forms to really grasp how and why phishing awareness is critical," the report added.

The study included suggestions for things enterprises can do to prepare their employees for these kinds of attack campaigns that go beyond phishing simulations. Every employee should know precisely what to do if they spot a phishing attempt and they should know they have the organization's full support in the event that their account is breached. 

If phishing attempt has been successful, enterprises should explain how it happened, how the email address was faked or why the attachment was suspicious. There should be posters or email newsletters reminding employees to be aware of the emails they open and making it clear that anything suspicious should be reported. 

Employees should also be reminded of the financial and reputational severity of cybercrime as well as the damage that can be exacerbated by hiding mistakes. Organizations should always have an incident reporting process in place and a detailed response plan that gives security teams information about how many people received the message, how many people clicked on the link and how many employees submitted their information. 

"It is time for organizations to make security awareness training and phishing simulations a real priority. It is not enough for organizations to hold a one-time lunch-and-learn on phishing emails or to focus only on cyber security risks during employee onboarding," the report said. 

"Opening malicious links can lead to computer and network infections with viruses or other malware and informs the cybercriminal that their message was read and clicked, confirming that the email address is valid and that the recipient is likely to click future phishing emails."

Also see

Data Security

Image: Andriy Onufriyenko/Getty Images