Everyone has encountered phishing attacks in cyberspace, whether we are aware of it or not. In fact, today and every day we are targeted via email, text messages, or scam phone calls. You can read about the types of attacks and the techniques attackers use on our website. In this blog, we would like to share with you our experience and results from the phishing campaigns we have implemented for our customers. našem webu
Endless discussions during campaign preparation (testing)
When we prepare phishing campaigns, which we most often do by sending fraudulent emails, we often get into discussions with our customers about what makes sense and what doesn't make sense, that they have intelligent and educated employees in their company and that very few people get caught. To that, it's important to add that even if that were the case, a data leak or intrusion into a company's systems by an attacker is overwhelmingly prevented by human error, and most often it's the click on the phishing email that causes it, so testing and education is important even if it's only individuals who would be at fault.
Unfortunately, we know from the tests that have been carried out that on average 40% of employees take the bait. Now project that onto the number of people in your company...
A closer look at the results of the implemented tests
If we are talking about basic phishing, i.e. a campaign targeting all employees in several waves and using different templates, the results show that about 60% of recipients open the phishing email and less than half (40%) click on the attached link in the form of a call to action button or other link leading to a fraudulent web page requesting further action, most often entering a login and password. If you think that this is where the journey ends, it doesn't, half of the recipients who click through to the fraudulent site enter the required login and password, in numbers this works out to 15-20% of the total.
For more sophisticated phishing, where we target narrower groups of users and use even more personalised methods, the numbers are very similar. If you think there are big differences between industries or positions in companies, this is not the case.
Which way is the road
These results clearly show that, in addition to technical security, companies should focus on educating employees about cyber security and regularly testing their vigilance. Moreover, of course, this is not a one-off activity, but an iterative process that both the company and employees must go through.
If you are interested in testing or training employees in your company, please contact us.
Your Safee team