Did you know that just 3% of users are responsible for 92% of cyber security breaches? They fall prey to the “Phishermen” - the people carrying out email phishing attacks against your organisation every day.
In this post, we’ll explain what phishing is, provide some examples, and give organisations instructions on how to reduce their risk from phishing attacks. We’ll also delve into the survey by security firm Elevate which identified this statistic.
What is Phishing?
Phishing is a form of social engineering attack where a cybercriminal attempts to trick you into providing sensitive information by posing as a trustworthy entity. It derives from the idea of “fishing for information.”
Email phishing is a type of cyber attack where scammers send fraudulent emails to individuals or organisations with the goal of obtaining sensitive information. Phishing emails often appear to come from well-known brands, financial institutions, or government agencies and may request that you provide login credentials, financial information, or personal details. Phishing emails may also contain malicious links or attachments that can infect your device with malware.
Once the “Phishermen” have this information about you or your company, they ususally list it on auction sites on the dark web, where it may be sold over and over again to criminals who keep attacking you and stealing. You will be at risk until you change all your passwords and security details, making that information obsolete.
Examples of Email Phishing
Some common email phishing scams include:
- Emails that appear to be from a bank or financial institution requesting that you update your login credentials.
- Emails that appear to be from a well-known brand or online retailer offering a discount or promotion.
- Emails that appear to be from a government agency requesting personal information, demanding a payment.
Phishing emails used to contain deliberate grammatical errors or spelling mistakes. This was a way to filter out more attentive people, who would probably realise the instruction in the email was a scam before the crime of stealing data was complete: these people would ultimately turn out to be a waste of time for the scammer. Nowadays Phishermen are using artificial intelligence to make their attacks fully automated and harder to detect, so they don’t need this filtering out. This means obviously dodgy scam emails are becoming a thing of the past, and phishing emails can remarkably difficult to tell from the real thing.
Cyeneia Institute Email Phishing Report
The ‘The Size and Shape of Workforce Risk’ report, based on Elevate Security data provided to the Cyentia Institute, covered occurrences from January 2016 to December 2021. It included 15.1 million unique events connected with 168 thousand users dispersed across more than 3.8 thousand organisational departments.
The Email Phishing Report’s main findings
Only 3% of users are responsible for 92% of malware download incidents.
Although 94% of users never encounter malware, others do so on a weekly basis.
Just 3.9% of users are responsible for 80% of email phishing cases, with some of them clicking as frequently as twice a month.
This category includes the 1% of click-happy maniacs who click and cause a cyber security incident more than 52 times each year – that is, one a week.
13% of users are responsible for 71% of “secure surfing problems”, in other words clicking dangerous links online.
And here’s the one we find truly mind boggling…
The worst offenders, who are 1% of users, will cause 200 security breach incidents every week!!!
What is a dangerous user, and why are they dangerous for email phishing?
As you can see from the Cyenia Institute report, most incidents are caused by a small minority of users. These Dangerous Users create cyber security incidents frequently.
Just over half of users never receive phishing emails, but some users may just receive a lot more phishing emails than others – hundreds every year rather than just a handful. This does not inherently make them dangerous. Most users (75%) click on phishing emails less than 10% of the time when they are not blocked in the first place.
This makes it clear that the key to reducing your email phishing risk is tackling the mistakes that these users make.
How to Protect Your Organisation Against Email Phishing
We recommend the following measures as your first steps for any businesses or organisation to reduce the security risk posed by “dangerous individuals”.
Recognise high-risk email users
Begin monitoring to determine which users pose an unusually high danger. Determine who is causing the majority of security events and why. For example, a person may be an outsized target for attackers or someone who has slipped through the security restrictions, or both. Consider looking at a “click-happy user’s” browsing history as well. Begin monitoring, helping and training your hazardous users. This could be accomplished by establishing ‘guardrails’ and concentrated controls.
Educate your employees on email phishing
Train your employees to recognise phishing emails and what to do if they receive one. Encourage them to double-check the sender’s email address and verify the legitimacy of any requests for sensitive information.
Examine the efficacy of your anti-phishing email controls
These include how many phishing emails get past the filters. Make sure antivirus software is installed on every device, and ensure that the controls are not only in place but also working effectively for everyone.
Conduct regular security audits
Regularly review your organisation’s security policies and procedures to identify and address any potential vulnerabilities. This can help to prevent phishing attacks and other security breaches.
Use email filtering
Implement email filtering software that can automatically detect and block phishing emails. This can help to prevent phishing emails from reaching your employees’ inboxes.
Implement multi-factor authentication
Require employees to use multi-factor authentication when accessing sensitive information. This can help to prevent unauthorised access in the event that an employee falls for a phishing scam.
Keep software up to date
Ensure that all software, including email clients and web browsers, are up to date with the latest security patches. This can help to prevent vulnerabilities that could be exploited by phishing attacks.
Flywheel IT Services can Help Protect your Company from Email Phishing
What would you like us to do?
Managed cyber security service
Managed Cyber Security Service for Businesses – find out more
Managed Cyber Security Service for Schools – find out more
Staff phishing awareness training
We tailor courses to your organisation and also do simulated phishing tests to make sure your staff have learned!
About Flywheel IT Services
Flywheel IT Services has teams of highly qualified and experienced IT engineers and consultants around the UK. For over 24 years we have partnered with businesses, schools and major construction companies to provide IT services and to guide and support their IT projects, tech strategies and day-to-day operations.
