Fortra published a report presenting the findings from its phishing simulation exercise in October 2023 with around 300 organizations and 1.37 million individual participants. The press release presents the highlights. Full details are available in the report itself (registration required).
Key findings per the report:
- On receiving the phishing simulation message, 10.4% of all recipients clicked the link. This opened a web page that masqueraded as a valid site and asked for username and password details. Of those who had clicked, 65% entered their details and lost their credentials. Here’s one of the diagrams from the report.
- Aaarrgghhh.
- Per Fortra, “Phishing links don’t click themselves – human beings, however well-intentioned, do.“
- Click rates varied by industry – education was worst (16.7% vs. 10.4% average), finance was best (6.3% vs. 10.4% average). There’s a full breakdown in the report.
- The percentage of recipients-who-clicked-the-link who then submitted their password also varies by industry. Education takes worst place again – 72.8% of those who clicked lost their credentials. Finance is third from best, at 45.2%. Agriculture and food were in first place / best place – at 29.1%.
- A decade ago, the Verizon 2013 Data Breach Investigation Report said this about the mathematics of phishing: sending 10 phishing messages almost guarantees a click. Put another way, 10%. Page 38 of the VDBIR 2013 has this box:
- A decade later, click rates remain the same or are slightly worse.
- Yes, users need to be trained – especially as threats become more sophisticated due to AI, phishing toolkits, MFA bypass as routine, etc. Don’t stop doing that. But … revisit / reassess / recheck the efficacy of whatever technical protections you are using and keep those phishing and BEC emails as far away from a user’s inbox as possible.
- On that note, you should read our report on the role of AI in email security.
Leave a Reply