8 million phishing scam emails reveal nothing surprising


By the time you read this, the disappointment of Xmas could either be a thing of the past for another year or just about to slap you in the face. If you miss that deflating feeling of not quite getting the gift you expected, you could always try reading the latest report from PhishMe, the human-focused phishing defence solutions experts and see what happens when people receive phishing scam emails.

What the sweet baby Jesus are ‘human-focused phishing defence solutions’ when they are at home, or work for that matter? Don’t you just hate marketing speak as much as we do? Anyway, that gripe aside we have to say that here at IT Security Thing we actually rather like PhishMe, the people who run it, and the way it uses simulations to help train staff to identify, report and mitigate the social engineering threat.

And that, dear reader, is what the business-bingo-babble means when you cut through it.

We mention PhishMe not to have a pop at it, but because the intelligence-driven platform it provides not only works well by proactively changing user behaviour, but funnily enough provides a ton of data as well. Now, by gathering some of that useful data from 8 million or so phishing simulation emails that have been sent to 3.5 million enterprise employees, PhishMe has been able to apply analytics and reveal just how susceptible your staff are to a phishing attack.

Unfortunately, there are very few surprises within the PhishMe 2015 Enterprise Phishing Susceptibility Report. This actually examined data samples from around 400 PhishMe customers, and represents 4,000 or so training simulations conducted across a 13 month period.

The organisations concerned were training more than 1000 employees in 75% of cases, and were mainly (86%) American with the remainder (14%) in Europe. 23 industries were represented across Fortune 500 and public sector organisations.

OK, so with that out of the way, what did PhishMe actually discover?

Well, the vast majority (87%) of employees who did open a phishing simulation email did so the same day it was sent. Erm, that’s not exactly surprising is it? After all, if you were going to open such an email why would you wait a day or two to do it? Indeed, considering that phishing scam emails are designed to entice recipients to open the email it’s perhaps more surprising that the percentage wasn’t higher.

No matter when the email was sent, most employees apparently responded in the morning and most often at 8am local time. Again, I am just a tad ‘meh-stricken’ by this fact. Surely all that really shows us is that most employees are well organised and tend to get their email admin out of the way first thing.

The obviousness of the findings continues when we are informed that employees who do open a phishing email are 67% more likely to respond to another phishing attempt. Yes, that’s because they are gullible and unless the gullibility is beaten out of them with a stick (or an effective training process, which would probably be less likely to lead to a lawsuit) they are not going to change their finger-clicky habits.

The kind of behavioural conditioning that PhishMe provides decreases those susceptible employees likelihood to respond to malicious email after just a handful of simulation exercises by a whopping 97%

That the most effective phishing emails, sent to a big business environment, are those containing “a business communication theme” is equally predictable. Office communications got the most positive response (22%) closely followed by finance and contracts (20%) and the oddly, but fairly effectively, titled employee wellness (18%). This last category got the same hit rate as social interaction mails, but beat IT communications by a single percentage point. We suspect that says a lot about IT communications in general, but that’s another story…

A total non-story is the inclusion of gender specific response rates to phishing mails. Using the ‘package delivery’ simulation scenario, which we don’t really think needs much further explanation, PhishMe discovered that 22% of women and 20% of men were susceptible; or put another way, around 20% of people were susceptible.

The only statistic that really caught our attention and made us think, albeit tempered a little by the MRDA factor (Mandy Rice-Davies Applies, or they would say that), was that the kind of behavioural conditioning that PhishMe provides decreases those susceptible employees likelihood to respond to malicious email after just a handful of simulation exercises by a whopping 97%.

The average time taken by employees on education after responding to a simulation was two minutes and seven seconds, and with 3-4 training exposures enough to do the trick it can only take 10 minutes to positively change staff behaviour when it comes to phishing tricks.

“Analytics resulting from the report reveal three very pertinent conclusions: that enterprises remain vulnerable to phishing-driven compromises, they need to place more reliance on employees to help them defend their organisations, and consistent training turns employees into informants that can spot attacks before they turn into catastrophes,” said Rohyt Belani, CEO and co-founder, PhishMe.

“Analytics resulting from the report reveal the bleedin’ obvious: that business is vulnerable to social engineering attacks and that staff awareness training of the threat helps to mitigate this,” said Davey Winder, Managing Analyst and co-founder, IT Security Thing who added, “so train your staff already!!!”

Drops mic, walks off…