Employee reporting of suspicious emails substantially outweighs susceptibility to attacks

 LEESBURG, VA December 13th, 2016: PhishMe Inc., the leading provider of human phishing defense solutions, today released its 2016 Enterprise Phishing Susceptibility and Resiliency Report, which illustrates employee susceptibility to phishing emails and resilience improvements when engaged in security reporting. With phishing still the most common cyber-attack vector leading to data breach, the report analyzes the most successful triggers, themes and emotional motivators leading employees to fall for phishing emails, as well as how reporting can drive a decrease in time to attack detection from days to minutes.

The PhishMe research teams analyzed data compiled from over 40 million phishing simulations performed between January 2015 and July 2016. Responses were gathered from a sample of over 1,000 PhishMe customers across the globe, including Fortune 500 and public sector organizations from 23 industry verticals. Published today, PhishMe’s 2016 Enterprise Phishing Susceptibility and Resiliency Report identified the following insights:

  • Business context phishing simulation emails still the most challenging: Office communications and finance-related themes generated the highest susceptibility rates, with 19.9 percent and 18.6 percent respectively, driven by sentiments of curiosity, fear and urgency.
  • Reporting outweighs susceptibility to phishing: Over a relatively short amount of time, reporting rates bypass susceptibility rates when at least 80% of the company has been conditioned to identify and empowered to report suspicious emails.
  • Active reporting can significantly decrease breach detection times: Samples analyzed show reporting of suspicious emails reduced security team response time to approximately 1.2 hours over the currently industry average of 146 days to detect a security breach.

PhishMe’s analysis revealed that business or office-related phishing emails proved to be the most effective simulations, as well as the most difficult for users to recognize and report. Phishing emails with sentiments of curiosity, fear and urgency scored the highest percentage in average response rates, suggesting that employees are at risk of increased susceptibility to phishing campaigns that include an emotional pull, even at a subconscious level.

“Our analysis shows that continued exposure to simulations lowers the chance of an employee falling for a phishing email – the key being consistent exposure,” stated Aaron Higbee, Co-Founder and CTO at PhishMe. “Once employees are conditioned to identify phishing attacks, our data shows that reporting them to the IT Security team starts to outweigh organizational susceptibility.  It only takes one employee to report a targeted attack to give incident response teams a chance to stop a potential data breach. Armed with this new data, we hope that more CISOs focus their attention on the ratio of Report-To-Click instead of dwelling on susceptibility metrics.”

The 2016 Enterprise Phishing Susceptibility and Resiliency Report also analyzes variances in phishing simulation response by themes, emotional triggers, and average response rates per industry. In looking at one particular type of phishing email type, the “file from scanner” scenario generated the highest number of response rates in the transportation sector at 49 percent, followed by healthcare at 31 percent and insurance at 30 percent. On the other hand, the non-profit sector scored the lowest response rate, at a 5 percent.

“Understanding what motivates your employees to open or fall for a phish is a critical step in building their resiliency to attacks and enabling faster incident response” continued Higbee “At its core, a phishing simulation program allows organizations to assess, measure, educate and empower all employees about phishing threats while creating a wider net of human sensors to help reduce the risk of a full-blown data breach.”.

To download a full copy of the 2016 Enterprise Phishing Susceptibility and Resiliency Report, click here.