E-mail purportedly from human resources convinced more than one-fifth of recipients to click, the majority of whom did so within an hour of receiving the fraudulent message.
A simulated phishing attack against more than 82,000 workers found that e-mails with a personal impact resulted in more clicks and that technical teams — such as IT workers and DevOps teams — clicked just as often and reported suspected phishing attacks less often compared with nontechnical teams
Software-security firm F-Secure worked with four multinational organizations to create campaigns featuring one of four different phishing e-mails: a purported message from human resources, a fake CEO fraud message, a spoofed document-sharing message, and a fake notice of a service failure. On average, 12% of users clicked on the phishing e-mail in their inboxes, but the rate depended significantly on the content.
In addition, the median time to report a suspected phishing attack was 30 minutes — good but somewhat problematic as a quarter of those who clicked on a phishing e-mail did so in the first five minutes, says Matthew Connor, F-Secure’s service delivery manager and lead author of the study report.
“The identification of an attack and a successful phish is by far the most important part here,” he says. “It is all well and good to train your staff so they don’t click on an e-mail, but if the e-mails that do get through your network and to the inboxes, if you yourself haven’t picked that up, you need to know that someone is going to report that.