Many employees are still clicking on phishing email links and downloading malicious file attachments, the latest global test conducted by Terranova Security has revealed.
As part of this year’s Gone Phishing Tournament, the Quebec-based cybersecurity firm sent close to one million phishing simulation emails to participating end-users during a two-week period in October and found that nearly one in five (19.8%) clicked on the message’s link. Of these, 14.4% failed to recognize that the simulation’s resulting website was unsafe and proceeded to download the malicious file attachment.
“The third edition of the report is a powerful reminder to organizations everywhere that deploying real-world phishing simulations as an educational tool is more crucial than ever,” said Lise Lapointe, chief executive officer of Terranova Security and author of the report. “By testing end-user knowledge with simulated attacks similar to threats they may encounter in their everyday activities, organizations can more easily change user behaviours and keep their sensitive information safe.”
Employees in the finance and insurance industry were among those with the highest click rates at 26.6%, ranking second only to education sector participants, who registered a 27.6% click rate. Information technology end-users placed third with a 25.6% click rate. All three industries posted phishing email click rates above the testing average.
In terms of download rates, the finance and insurance sector fared slightly above the testing average at 14.6%, dropping to fourth in the list. Education and IT industry participants registered the highest percentage of downloaders at 21.9% and 21.6%, respectively.
The IT sector also posted the highest click-to-download ratio across all industries, with 84% of those who clicked on the initial phishing link eventually downloading the malware file.
The report also showed that organizations with more than 3,000 employees performed the worst of all size segments, posting an 18% email link click rate and a 12% document download rate. Of all the size brackets, they also featured the largest click-to-download ratio at 66%.
Of the five regions where the phishing tests were conducted, organizations in North America performed the best, claiming both the lowest email link click rate (19.2%) and document download rate (11.8%). As a result, the click-to-download ratio for North American businesses was significantly lower than any of the other regions at 61.5%.
The figures were in stark contrast compared to last year’s results, which saw North America ranked last compared to other regions. The best-performing region from the previous event, Latin and South America, recorded the second-highest click-to-download ratio (78.6%) in 2021.
After outperforming their North American counterparts in 2020, European organizations posted higher rates across the board in 2021, including a click-to-download ratio of almost 74%, up more than 12 percentage points from last year.
“It’s clear that there’s room for improvement across the board,” said Theo Zafirakos, chief information security officer at Terranova Security. “Establishing, maintaining, and optimizing a training program that incorporates continuous awareness activities and phishing simulations is an essential part of strong information security.”
“Phishing threats have only become more prevalent [over the years],” he added. “Organizations must take this reality seriously and implement strong awareness training initiatives.”