PhishMe report shows employees can become assets in anti-phishing battle

PhishMe report shows employees can improve their ability to detect phishing emails with practice

A report released today by PhishMe based on the results of 8 million phishing simulations shows that employees can dramatically improve their ability to detect phishing emails with practice, and can be trained to forward them to security staff.

While the average response rates to any particular phishing email is about 20 percent, employees who click on one phishing email are 67 percent more likely than average to click on another one, with a click rate of 35 percent.

But their click rate falls to just 13 percent if they go through a third simulation exercise, 4 percent their fourth time through, and just 0.2 percent the fifth time.

"It is possible to change behavior," said Rohyt Belani, CEO at Leesburg, Vir.-based PhishMe, Inc.. "And we have metrics to prove it."

With the appropriate technology, employees can even become an active line of defense against phishing emails.

According to the study, one client employee base began reporting malicious attacks 15 minutes before anyone had actually downloaded the malicious attachment.

"You can turn people into a strong asset," Belani said. "We can get away from 'people are the weakest link.'"

In addition to running phishing simulations, Belani recommends that companies make it easy for employees to report malicious emails by adding a simple button to their Outlook screens.

Another approach that helps increase reporting is to show employees their personal accuracy scores for reporting malicious emails, and how they compare to the average at the company.

"People want to get better at this," he said.

To ensure that employees aren't simply learning to avoid the simulated phishing emails, PhishMe creates phishing templates based on actual phishing emails that the bad guys are sending out. There are currently more than 300 different templates that PhishMe sends out.

Across all companies, phishing emails pretending to be regular office communications tend to hit the hardest, with a 22 percent click-through rate.

Of those, emails that claim to have your scanned file have a 36 percent open rate.

There are differences in click-through rates for different times of the year, and different industries.

For example, education industry employees getting a package delivery email have a 49 percent click-through rate, while employees in the travel industry respond to these just 13 percent of the time.

During the holidays, common phishing emails include holiday e-cards, holiday sales and discount offers, travel notifications, and, of course, package deliveries.

PhishMe is currently sending emails to 15 million unique employees, with clients typically running four to 12 phishing simulations per year.

Holiday phishing PhishMe

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber security

More about Inc.

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts