Fake Phishing Attacks Slash End-User Gullibility

Views, News & more

Here at hSo, our staff are routinely subject to phishing attacks. Who ordered many of these digital attacks on our staff?

We did.

Simulated phishing attacks help keep us on our toes. And we're not the only firm benefiting from these types of test, judging by KnowBe4's 2022 Phishing By Industry Benchmarking Report.

KnowBe4 conducted over 23 million phishing tests for over 30,000 organisations. They found that without security training, 30% of UK employees fall for phishing attacks. After 90 days, including cybersecurity training, the percentage of UK end-users that fell for such attacks was 17%. Gullibility gradually declined as time went on. After a year of regular cybersecurity quizzes, refresher courses and simulated phishing tests, just 5% of UK end-users click on dodgy links.

A few of these users may be savvy, using sandboxes to safely check whether a link is likely to be safe to view. But mostly, people failing these tests are falling for deliberately bland phishing emails

Kaspersky found that mundane delivery-failure emails and corporate-style emails do well at tricking users. Here are the phishing tests that tricked the most people...

Subject: Failed delivery attempt - Unfortunately, our courier was unable to deliver your item. From: Mail delivery service. Click through rate: 18.5%;


Subject: Emails not delivered due to overloaded mail servers. From: The Google support team Click through rate: 18%;
Subject: Online employee survey: What would you improve about working at the company. From: HR Department Click through rate: 18%;
Subject: Reminder: New company-wide dress code From: Human Resources Click through rate: 17.5%;
Subject: Attention all employees: new building evacuation plan From: Safety Department Click through rate: 16%;

What can do you to reduce your risk of falling foul of phishing attacks?

Have a firm like KnowBe4 train your staff online and test your staff with simulated phishing attacks. A 85% reduction in successful phishing attacks isn't enough, but it's certain a very good starting point.

Rolling out multi-factor authentication is also sensible. This makes it harder - though not impossible - for standard phishers to retain pilfered access in the long term. 

Thirdly, roll out Single Sign On, so there are fewer passwords to steal, and credential-misuse attempts are visible to your central Identity and Authentication Management solution.

If your staff routinely work from home for at least part of the week, consider getting a corporate VPN solution that is able to filter their Internet traffic, so there's some degree of network-level protection against malware and phishing attacks.

End-point protection can also add additional protection - potentially scanning for malware and spyware. Some end-point protection can stop corporate data being copied to USB media without consent. Some take a software inventory and can deny access to the corporate VPN if the device trying to connect isn't sufficiently patched first.

Even if your staff do their best to avoid phishing and malware attacks, some attacks will eventually get through. Zero Trust Network Access can help limit the damage to your organisation by restricting the ability of compromised devices to infect other devices on the corporate network. ZTNA can adjust the amount of time between authentication requests, so stolen credentials can't be used for months on end by keeping existing sessions active.

Given the rise in ransomware attacks, the consequent rise in cyberinsurance premiums and the increasely tough questions being asked by insurers, we expect organisations will have little choice but to raise their game on cybersecurity. We suspect we'll see a big shift towards using SaaS applications that are patched for you, multi-factor authentication for all staff, and ZTNA solutions that include the end-point protections mentioned above.

Learn more about how hSo's ZTNA service can help your organisation enhance its security.

Get in touch

 020 7847 4510

 info@hso.co.uk

We may process your personal information in order to send you information you request, measure and improve our marketing campaigns, and further our legitimate interests. For further details, see our privacy policy.

Contact us

hSo ISO 9001 Seal
hSo ISO 14001 Seal
hSo ISO 20000 Seal
hSo ISO 27001 Seal
Cyber Essentials logo
Internet Service Providers Association logo
Internet Telephony Service Providers Association logo
LINX logo
RIPE logo
AWS Partner Network logo
Microsoft Partner logo
Crown Commercial Service supplier logo