There remains a large segment of employees in Lithuanian companies who are unable to recognise email fraud. An investigative social engineering simulation by Responsu found that an entire 54% of individuals reading a phishing email could not spot the fraud and clicked on a harmful link. The situation is even more concerning as 31% of them did so in less than a minute. Do we truly know how to reduce the risks related to the human factor and protect ourselves against email fraud?
Email fraud, also known as phishing, is not a new problem in the IT security domain. However, events in recent years, where work from home have become inevitable and the pace of digitalisation remains rapid, have greatly increased the severity of this problem. In 2020, the number of phishing attack victims rose by 600% and the number of those unable to recognise a complex fraudulent email reached 97%.
This situation is concerning for both major organisations and state companies, as well as small businesses. After all, no one is safe from fraudsters. Online fraudsters are uninterested in the company’s size or sector – most attacks are automated. Even just a single careless action, clicking an infected link, for example, could lead to a loss in client trust, disrupted operations, and financial losses.
Today, organisations are also concerned by how traditional measures for developing IT security awareness with company staff might no longer be as effective. This is because attack vectors are rapidly improving and external factors such as remote work continue to erode employees’ abilities to recognise threats.
In order to assist businesses in gauging whether their IT security awareness policies are effective and whether their staff members are capable of recognising email fraud, Responsu organised an investigative social engineering campaign. During the project, phishing attack simulations were carried out with the participating companies, sending identical fraudulent emails. The participants’ clicks on supposedly harmful links were recorded and the received data was used for analysis, which compared click data to the company’s sector and size.
How did it all proceed?
The investigative social engineering simulation was performed over a period of five weeks in May-June 2021. The project included 5,510 individuals from 70 different organisations and 13 sectors. The Sophos Phish Threat social engineering simulation tool was harnessed for staging the phishing attack, allowing identical emails with supposedly infected links to be sent, and making it possible to record the recipients’ actions – opening the email, clicking the link, and the time and device used.
Global figures are almost the same, but some employees lack knowledge, while others – practice
Among all company employees participating in the study, 19% clicked the supposedly harmful link, while the remaining 81% did not get baited. Thus, based on global statistics for 2020, 20% of employees would fail to recognise a fraudulent email and would click a harmful link. At first glance, this might appear not too bad, but it is crucial to remember that even a single careless click could lead to irrecoverable losses.
On the other hand, technical IT security measures and administrative settings can also influence user behaviour. For example, they can prevent suspect emails from reaching the inbox or could warn of danger. In this case, the individual would never read the email and never find out about the attack. Thus, the combined indicator for clicks, which was calculated based on the entire number of sent emails, is suitable for identifying security levels. Meanwhile, the risk generated by the human factor is better illustrated by the number of clicks in read emails where the evaluation is based solely on individuals who read the email and their behaviour.
35% of participants in the Responsu study read the fraudulent email and, among them, every second individual clicked on the link (54%). This reveals that more than half of employees reading the email lacked the necessary practical skills to discern the fraud.
Also, it has been noted how employees were careless and rushed – 31% of participants clicked the link in under a minute. This indicates that these individuals do not have enough information and theoretical knowledge to evaluate the emails they receive critically.
This situation also signals that fostering an understanding of IT security is not sufficiently integrated in organisational culture and so employees rarely consider cyber-threats when performing everyday tasks. One of the simplest means of developing the perspective that IT security is everyone’s responsibility is to share cyber-attacks, scale, and consequences regularly.
Small businesses remain the most vulnerable
The small business segment held the largest number of clicks on average (33%). This reveals that particularly small companies (up to 5 employees) still dedicate insufficient human and technical resources to ensuring IT security. On the other hand, employees in major organisations were two times less likely to click on the link (16%).
This is due to major organisations typically dedicating more attention to creating and implementing security policies and monitoring compliance with requirements.
IT companies remain the most literate in cybersecurity
A far greater than an average number of clicks was recorded in four sectors – tourism services (39%), healthcare (33%), real estate and letting (60%), and utility services (33%). The information technology sector showcased a twofold smaller than an average number of clicks (8%).
When evaluating organisations based on their sector, it must be noted that every sector faces different challenges, which have an impact on the number of clicks on the fraudulent link. The main factor leading to a markedly increased indicator in certain sectors could be explained through the rapid digitalisation of everyday operations when insufficient attention is dedicated to encouraging IT security awareness among staff to ensure the generation of greater value and a better client experience.
Mobile devices aren’t always more dangerous and educational programmes work
After evaluating the type of device that individuals used when receiving the fraudulent email, it was found that computer users clicked more often and faster on the harmful link and not those who checked their email on a mobile device. However, it wouldn’t be entirely accurate to claim that mobile devices are less dangerous. Typically, it is harder to notice fraudulent emails on a smartphone than it is on a computer because visual elements that help identify fraud are smaller. Other factors could have also influenced this study’s results, such as the fact that not all employees use mobile devices or have email access on them, or limitations on meetings and work trips and work from home.
The goal of IT security awareness training usually encompasses information about cyber threats in the virtual domain and the development of skills regarding how to react to these threats. During the study, more than half of participating companies reported that from among all the individuals who read the fraudulent email, at least one staff member would inform responsible individuals of the received suspect email.
What can we learn?
The human factor remains especially relevant not only at the global level, but also in Lithuania. It isn’t hard to imagine the consequences of any company’s employee clicking on a truly harmful link – it could hide harmful code or allow confidential data to be leaked. Moreover, numerous scenarios of how this could continue to serve the criminals, such as obtaining access to sensitive internal correspondence or gathering information and leveraging it in later and more complex attacks.
Thus, both small businesses and major organisations must remain vigilant and constantly strive to reduce the human risk factor. However, prior to taking action, it is necessary to understand why employees act the way they do – whether it is a lack of theoretical or practical knowledge that leads employees to be less cautious or whether they truly remember the information from past training. Only by examining the current situation can you prepare the optimal training programme.
It is also worth noting that only comprehensive staff IT security awareness training, which spans theoretical tasks, case simulations, and regular repetition of knowledge, can ensure that company staff are successfully prepared to recognise cyber threats. Finally, nurturing an organisational culture could help reach the highest levels of security, making sure that IT security is not the responsibility solely of the IT department but of all employees.
- Another investigative social engineering simulation is planned for March-May 2022. We invite you to register for it now!
- Download the flyer here.