A large-scale phishing study involving 14,733 participants over a 15-month period has found some surprising results that contradict previous research.
This study was conducted by researchers at ETH Zurich in collaboration with an unnamed company, without informing the participants of the existence of the simulated phishing program.
The researchers sent fake phishing emails to the participants’ regular business email addresses and placed an email client button to easily report suspicious emails.
There are four objectives of this study
- Which employees fall for phishing
- How vulnerabilities change over time
- How effective are built-in training and alerts
- Is there anything employees can do to detect phishing
In a finding that contradicts existing research, we found that gender does not correlate with susceptibility to phishing. Instead, younger and older people were found to be more likely to click on phishing links, indicating that age is an important factor.
In addition, people who use specialized software for repetitive tasks are more susceptible to phishing traps than those who do not need computers for their daily work.
30.62% of those who opened a phishing email clicked on yet another email, showing the so-called “repeat clickers” noted in previous studies. Furthermore, 23.91% of those who engaged in risky behavior (activating macros, sending credentials) did so more than once.
The finding in the ETH study seems to be that employees who are continually subjected to phishing attacks will eventually fall for it, as 32.1% of survey participants clicked on at least one compromised link or attachment.
The results underscore the importance of having effective email security and anti-phishing filters in place.
The results underscore the importance of having effective email security and anti-phishing filters in place, because constant exposure to phishing can desensitize even trained employees and lead them to take risky actions.
Is training that does not require employees to complete it ineffective?
We have a new finding that warnings against suspicious emails are effective, but this effectiveness does not increase as the warning message gets more detailed.
In a finding contrary to commonly used security wisdom, we have found that spontaneous built-in training in simulated phishing exercises is ineffective.
Contrary to conventional industry wisdom, the combination of simulated phishing exercises and voluntary embedded training (which does not require employees to complete training) has been shown to not only not improve employee resistance to phishing Not only does it not improve employees’ phishing tolerance, it actually makes them more susceptible to phishing
Crowdsourcing can make this happen
Employees at the test companies were provided with a “Report Phishing” button on their email clients to report suspicious messages, which resulted in 90% of employees reporting no more than 6 suspicious emails, although some employees continued to report very actively throughout the experiment.
Thus, the researchers conclude that there is no “reporting fatigue,” suggesting that crowdsourcing of anti-phishing data is feasible.
Accuracy of reports from users was 68% for phishing and 79% if spam is included, with those who reported the most reaching an accuracy of over 80%.
In addition, the time from receipt to submission of these reports is 5 minutes for 10% of all reports and 30 minutes for 35%.
Assuming that 100 people in a company with 1,000 employees are phished, the number of email reports from employees would be between 8 and 25, with one report within 5 minutes and more within 30 minutes.
These results show that the threat of phishing attacks can be significantly mitigated through the use of enterprise-wide crowdsourced phishing detection services.
It is also important to note that the implementation of such a system does not impose a significant operational burden, so companies will not incur much of a burden in implementing crowdsourced anti-phishing measures.
Of course, since phishing is a complex subject with many important factors beyond the scope of such a study, these findings should not be taken as concrete evidence of good or bad habits or universally applicable rules.
But given the central role that phishing plays in modern cyberattacks, the results of this study show that we need to develop more effective anti-phishing measures.