E-mail purportedly from human resources convinced more than one-fifth of recipients to click, the majority of whom did so within an hour of receiving the fraudulent message.
A simulated phishing attack against more than 82,000 workers found that e-mails with a personal impact resulted in more clicks and that technical teams — such as IT workers and DevOps teams — clicked just as often and reported suspected phishing attacks less often compared with nontechnical teams
Software-security firm F-Secure worked with four multinational organizations to create campaigns featuring one of four different phishing e-mails: a purported message from human resources, a fake CEO fraud message, a spoofed document-sharing message, and a fake notice of a service failure. On average, 12% of users clicked on the phishing e-mail in their inboxes, but the rate depended significantly on the content.
In addition, the median time to report a suspected phishing attack was 30 minutes — good but somewhat problematic as a quarter of those who clicked on a phishing e-mail did so in the first five minutes, says Matthew Connor, F-Secure’s service delivery manager and lead author of the study report.
“The identification of an attack and a successful phish is by far the most important part here,” he says. “It is all well and good to train your staff so they don’t click on an e-mail, but if the e-mails that do get through your network and to the inboxes, if you yourself haven’t picked that up, you need to know that someone is going to report that.
Read more:https://bit.ly/3u1JchQ