1 in 5 employees fall for phishing emails even after a security training
The year 2020 was challenging for cybersecurity on many levels. The global pandemic brought a wave of cyberattacks exploiting the mayhem, while remote work made employees more vulnerable to such attacks.
In particular, phishing attacks hit record levels, with Google reporting over 2 million phishing sites in 2020 alone. However, even more alarming is that current cybersecurity measures applied by the organizations worldwide are inadequate to protect against such dangers.
According to the data presented by the Atlas VPN team, one-fifth (19.8%) of employees fell for phishing emails even if they have gone through security awareness training.
The numbers are based on data collected during the global “2020 Gone Phishing Tournament” organized by Terranova Security and Microsoft. During the tournament, employees from 98 countries worldwide participated in a phishing simulation where their cybersecurity awareness was tested.
Out of the employees who did click on phishing email links, 67.5% also entered their credentials, such as password, on the phishing webpage. It means that overall, 13.4% of employees provided their credentials to phishers.
Surprisingly, employee cybersecurity awareness is not growing; in fact, data reveals the opposite trend. Compared to last year, the number of employees who clicked on a phishing link has increased by 77% going up from 11.2% in 2019 to 19.8% in 2020.
The number of employees who also provided their credentials to phishers has surged even more. Last year only 1.8% of employees gave out their credentials during the phishing simulation. However, in 2020 this number increased by a whopping 644% to 13.4%.
Out of all the global regions, North American employees had the hardest time recognizing phishing attacks. At the same time, workers in South America and Europe were the most educated on the matter.
Overall, 25.5% of employees in North America clicked on the phishing link during the simulation, while the same is true for 17% of employees in Europe and 16.9% of employees in South America.
Phishing is a social engineering attack designed to steal valuable credential information, such as login and credit card details. Cybercriminals disguise themselves as trusted entities and try to lure out valuable information from unsuspecting victims, typically via email or phone.
The Public Sector is the most vulnerable to phishing attacks
While no sector is immune to phishing attacks, some industries were better educated on recognizing such assaults than the others.
Five industries had above average phishing email click rates, with the public sector being at the top of the list. A total of 28.4% of employees working in the public sector clicked on a phishing link in an email.
Next up is the Transport industry. Nearly a quarter (24.7%) of employees in the sector fell for phishing emails.
Not far behind the Transportation industry is the Service Provider sector. In total, 23.1% of employees in this field clicked on a phishing link.
Also in the top five list are the Energy and Information Technology sectors with 22.1% and 19.9% of employees respectively falling for phishing emails. Employees in all of the aforementioned industries were also most likely to submit their credentials to fraudsters, this way compromising sensitive data.
The education sector, however, performed the best in terms of phishing attacks. Only 11.3% of workers in the Education sector clicked on a phishing link.
We are in an age where cyberattacks are evolving faster than ever before. However, the data shows that organizations are not doing enough to educate their employees on cybersecurity threats.
Organizations have to realize that just as the cyberthreat landscape is shifting, so should their response to cyberthreats. Otherwise, the organization is left vulnerable to cyberattacks, which have devastating and long-lasting consequences to both the organization itself and its clients.
Cybersecurity Researcher and Publisher at Atlas VPN. Interested in cybercrime, online security, and privacy-related topics.