As it turns out, industries and departments that hold the most sensitive data are also most vulnerable to phishing scams. 1 in 3 employees are likely to click the links in phishing emails, and 1 in 8 employees are likely to share information requested in a phishing email, a recent study by Keepnet Labs has shown.
Keepnet Labs sent 410,000 simulated phishing emails, and this experiment revealed quite unnerving results: more than half of the targets opened phishing messages, 32% went on to click the malicious attachment or link, and almost 13% submitted information requested in the phishing email.
While opening an email is not considered bad practice, the share of people clicking on the malicious link is alarming.
“It certainly very clearly identifies the systemic problem across organizations. It’s not a good result,” James Baker, board advisor at Keepnet Labs, told CyberNews. “1 in 3 people continue clicking on the links. This is devastating,” his colleague dr. Orhan Sari added.
Over 90% of data breaches originate from phishing attacks, and therefore phishers never stop, Keepnet Lab experts state.
Criminals can hide malware and phishing sites under SSL certificates to manipulate people into clicking malicious links.
“Cybercriminals target particular jobs and departments in different industries connected to their purposes. For instance, they usually send phishing emails containing macro ransomware to the HR employees or consulting firms who have to deal with certain attachments. Therefore, these people are more likely to open the attachments than the others who do not regularly get emails with attached documents,” experts claim.
Microsoft, Gmail, and COVID-19
Keepnet Labs simulated phishing emails and mimicked emails from companies such as Microsoft or Google’s Gmail. When it comes to real phishing attacks, these are the top brands that scammers are pretending to represent.
“Microsoft is first on the list of brands. Then it’s Netflix. Recently, due to the pandemic people started to work from home, and they watch a lot of movies, so Netflix-themed phishing attacks have risen. Also, as people started working from home, and were forced to use VPN services, scammers mimic some VPN services,” Orhan Sari explained.
In the early days of the pandemic, people got some coronavirus-related emails, but there were never as many of them as Microsoft, Apple, Gmail, or Bitcoin-themed attacks, he said.
Keepnet Labs also saw a rise in business email compromise (BEC) attacks.
Microsoft is first on the list of brands. Then it’s Netflix. Recently, due to the pandemic people started to work from home, and they watch a lot of movies, so Netflix-themed phishing attacks have risen. Also, as people started working from home, and were forced to use VPN services, scammers mimic some VPN services,Orhan Sari explained.
“Cybercriminals target the employees by masquerading themselves as senior officers. We witness a lot of business compromise attacks, and whaling attacks, too,” he said.
According to James Baker, companies that run phishing simulators for the first time, usually learn that 40-60 % of their employees are likely to open malicious links or attachments.
“The second time they run that simulation after 6 months, that normally drops to 20-25%. And the third time they run it 3 to 6 months later often it can drop down between 10 and 18 %,” he explained.
So which industries are most likely to fall victim?
The most vulnerable industries, and why
According to the report, in terms of clicking on a phishing link, these are the top 5 most vulnerable industries.
- Apparel & accessories
And in terms of submitting credentials or sharing information, these are the top 5 most vulnerable industries:
- Apparel & accessories
- Securities & commodity exchanges
What makes some industries more vulnerable to phishing than others? Orhan Sari listed three reasons for that. The first reason is the huge amount of emails.
“The level of email correspondence has risen among businesses. And they basically don’t pay attention to emails. They think they are smart enough to recognize phishing attacks,” Orhan Sari explained.
Also, there’s a lack of cybersecurity training and an inability to adopt best cybersecurity practices.
Keepnet Labs has been doing this phishing simulation for the past three years. Sadly, the trend hasn’t changed.
Will the pandemic that accelerated our move to the digital world make companies and their employees more cyber vigilant?
“We are seeing a large increase in demand for cyber awareness content in a lot of large organizations. A lot of companies are taking it more seriously, and investing in the training of people, and there seems to be a change between companies that traditionally did training for compliance purposes so they would do cyber training once per year, and be able basically to tick a box. That’s changing now, and they are asking us to provide monthly training exercises to further grow cyber aware culture,” James Baker said.
The damage is almost unknown
Employees in legal/audit/internal control, purchasing/administrative, and quality management/health departments are most likely to click on the links in phishing emails and are the most likely to disclose information (i.e. credentials) requested in phishing emails.
“We have revealed that the key departments that access most of the sensitive information are more vulnerable to phishing attacks, like in the previous year. Phishing attacks are winning because they target fundamental and typical human nature. Once these departments are jeopardized, it can have a devastating effect on any organization. Besides the direct economic cost, such as theft of corporate information, breaches can lead to disruption to brand and reputation. There will also be legal and regulatory challenges to deal with in the aftermath of an incident,” the conclusion of the report reads.
The possible damage, James Baker explained, depends on the attacker’s motives. He might be just after an individual, so he could steal the identity and, for example, take loans on his victim’s behalf. Or he might be after the organization and could take the entire company down by, for example, loading ransomware.
“The biggest risk is almost unknown. Once that data has left the organization, how quickly would it be used in an attack against the organization?” he said.
“Each person is on the hacker’s radar,” Orhan Sari added.