Phished, a specialist in AI-powered cybersecurity training software, has announced the results of its 2021 Phishing Intelligence Report. The report, which analyzed data from more than 100 million phishing simulations, found that at Globally, almost a quarter (22%) of employees are likely to put their organization at risk of a cyberattack through a successful phishing attempt.
Analysis of the large and diverse dataset reveals just how vulnerable the average employee is to phishing attacks and offers insight into key trends, including the topics that lead to the most successful phishing attacks and the formats messages most likely to mislead employees.
Data shows that among employees who open a phishing message, more than half (53%) are likely to click on a malicious link within it. When asked to divulge data, for example on a spoofed login page, almost a quarter (23%) of recipients enter their data. If a message contains an attachment, 7% of all recipients will download and open it.
“While these numbers already point to a systematic problem within the workforce, perhaps most concerning is the fact that as many as 7% of all employees open a suspicious attachment. While phishing usually requires an extra step before the real damage is done, a malicious attachment can have serious consequences immediately,” said Arnout Van de Meulebroucke, CEO of Phished.
Public vs. private sector phishing
The Phishing Intelligence Report 2021, which analyzed simulation data from private and public sector organizations, found that public sector employees are 3% more likely than those in private sector organizations to be victims of a phishing attempt. successful phishing. UK public sector employees were slightly less susceptible (2.5%) to phishing attempts than the global average of 3%.
Top Phishing Topics
Globally, topics related to COVID-19 most often led to successful phishing attacks in 2021. This included messages about working from home, coronavirus testing facilities and vaccinations, with fake news and misinformation campaigns fueling malicious actors to exploit general anxiety about vaccine risks and side effects. After that, phishing messages around technology and computing associated with working from home were most effective in encouraging employees to click on links and reveal data. This included messages on popular collaboration platforms, as well as technical support for passwords and virtual private networks (VPNs).
COVID-19 messages were also most likely to mislead recipients in the UK. However, unlike other countries, UK employees were almost as likely to be phished through messages about orders, deliveries and shipping. HR-related topics, for example those related to fines, dismissal, holidays or sensitive content, were also more likely to mislead UK employees than IT-related posts.
Phished drew a number of conclusions from the Phishing Intelligence Report 2021:
- Data shows that phishing remains a key attack vector for cybercriminals looking to target private and public sector organizations around the world. 2021 has created a perfect cybersecurity storm, with attackers taking advantage of increased government communication around the COVID-19 crisis while phishing messages themselves become more compelling. Employees – anxious about the global health crisis – struggle to distinguish these messages from legitimate communications.
- The shift to working from home has created increased risk, with many employees using their smartphones to open emails. Smartphones generally make it more difficult to recognize the origin of a potential email and mean that employees are much more susceptible to phishing.
- In 2022, we will likely see this trend continue as cybercriminals become increasingly sophisticated in their attacks. COVID-19 will continue to be a popular topic for attackers in 2022, but a number of new trends are emerging.
- Spam calendar invites, where attackers spam your calendar with meeting invites, are becoming more common, while QR code-based fraud is also something Phished expects to see more of in the future. the new Year.
- Perhaps most concerning is the potential for deep fakes to make phishing more compelling and open up voice as a new attack vector.
“The task for the coming year is clear: organizations must explicitly focus on raising awareness among their employees. In recent years, the volume of phishing attacks has increased exponentially and without a radical countermove, these campaigns will continue to claim more victims, resulting in significant losses for organizations. A one-time workshop does not help against phishing. People need extensive and repeated training to help them recognize increasingly sophisticated phishing messages,” concludes Van de Meulebroucke.
Read the full report on Phished