CISA Phishing Infographic Contains a Lot of Good Information

Evangelists-Roger GrimesOn December 8th, the Cybersecurity & Infrastructure Security Agency (CISA) released a great phishing infographic about data collected, lessons learned and recommendations learned from simulated phishing attacks that CISA has done for organizations. It is a great, independent, unbiased infographic with a lot of good data and recommendations. If you and your organization follow the included recommendations, you will be better off.

Each finding and recommendation is linked with specific Cybersecurity Performance Goals (CPGs) from CISA’s larger 2022 Cross-Sector Cybersecurity Performance Goals. So, it is great to be able to go from an infographic recommendation to a more formal recommendation and report, all created by the U.S. government’s largest agency dedicated to protecting people and organizations against cyberthreats.

Here are some of the key findings and some related sources for more information:

Most Successful Phishing Topics

CISA reported that three most successful simulated phishing topics were:

  • Financial-related security alerts or updates
  • Organizational announcement
  • User alerts and training updates

These are no surprises to people who follow the most popular phishing topics. KnowBe4 tracks the top, most frequently reported real-world and simulated phishing topics each quarter by our customers using our Phish Alert Button in our quarterly Top Clicked Phishing Email Subjects. Here is the latest version. You can see previous quarter results here.

Every security awareness training program should do their best to educate and mimic the most likely threats. KnowBe4’s quarterly infographic gives you that information.

How Many People Will Click on a Phishing Email?

CISA reported that one out of every 10 people who got a simulated phishing test clicked on the included link or downloaded the attachment. CISA does not share what percentage of employees open the phishing test and did not take a required action. But KnowBe4’s long-time data, known as the KnowBe4 Phishing by Industry Benchmarking report has shown that in the average organization, just under one-third of employees will open and interact with a simulated phishing test.

Just under one-third of employees being “Phish-proneTM” is an average across all organizations and industries. We saw many industries with Phish-prone Percentage rates above 50% and the lowest rate we found across 9.5 million users was 20%. If the lowest rate is one-fifth of employees being tricked by phishing, it is clear that every organization needs to make sure their employees are educated about social engineering and phishing.

Our data shows that if organizations do the recommended simulated security awareness training and simulated phishing testing that our customers can get their Phish-prone rate down to 5% or less.

And since social engineering and phishing is the most common ways that hackers and their malware creations are successful, moving your Phish-prone rate from 32% to 5% or less is one of the best defenses any organization can do.

Malware Is Getting Through

CISA reported that 70% of malware or links to malware were not blocked by network border protection services and 15% of all malware was not blocked by endpoint detection products. That is very useful information. First of all, endpoint detection products appear to be far more accurate than network-based protection products. That one fact might surprise people. Second, a lot of malware and malicious links are getting past all the automated defenses and getting to the end user. It is clear that your end users will see phishing attempts and malware and will be your last line of defense. All employees need to be trained in how to recognize social engineering and what to do once they have detected it…which is hopefully reporting it to IT/IT Security.

Most Employees Do Not Report Attempted Phishing Events

Unfortunately, CISA reported that only 13% of targeted employees reported the phishing attempt. This is a huge problem and risk. As CISA stated in their infographic, failure by employees to report attempted phishing attacks can prevent IT/IT Security from determining if the phishing attack is an isolated event or a bigger campaign that needs immediate remediation.

Employees need to be taught how to recognize phishing attacks and how to appropriately report them. We are big believers in the easy-to-use, free Phish Alert Button. Appearing as a little icon on their email client task bar, it is easy to highlight a potential phishing email and with one click, make it both go away and also report it to IT/IT Security. If you make reporting phishing easy, your employees will be more likely to do it.

Phishing Quickness

CISA’s data says that 84% of employees [who] took the bait and interacted with the simulated phishing attempt, did so within 10 minutes. This means that defenders have a very limited time to both recognize that a phishing event has gotten past their defenses, remove the phishing attempt and use other mitigations to prevent its spread.

KnowBe4 highly recommends our PhishER product. With PhishER, users report suspected phishing attempts using our Phish Alert Button where the email can be analyzed and automatically be marked as an email threat (e.g., spam, phishing, etc.) and let administrators see if the newly submitted attack is part of a larger threat. If so, administrators can use PhishRIP to quickly remove all other copies that may have gotten to other users and use PhishFlip to turn real phishing emails into simulated phishing tests to quantify how many of your users would have fallen victim had the real phishing email gotten to them.

5 Ways PhishER Saves You Time and Money white paper.

Use Phishing-Resistant MFA

CISA recommends using phishing-resistant multifactor authentication (MFA) when you can for logons. We certainly agree. KnowBe4 has been pushing phishing-resistant MFA for years and we have dozens of resources you can utilize, including these:

Hacking Multifactor Authentication book (Wiley)

Book by KnowBe4 author, Roger A. Grimes, discussing over 50-ways to hack various MFA solutions. Starts with pointing out the strengths and weaknesses of passwords, details how authentication works, covers all the various MFA methods and how to hack and protect them, and ends with telling the reader how to pick the best MFA solution for them and their organization.

Automate Updates

CISA recommends that organizations update their software and firmware any time the vendor releases a critical security patch. Read this article to learn how to use CISA’s Known Exploited Vulnerability Catalog to improve your patch management strategy.

CISA Recommends DMARC

Every organization should enable DMARC, DKIM and SPF, the world’s three most common anti-phishing-domain-spoofing standards. If you are not sure what they are or how to implement, view KnowBe4’s free one-hour webinar on the subject.

Everything You Can Do to Stop Phishing

It is clear from CISA’s phishing infographic that training your employees in how to recognize and report social engineering and phishing is one the best, if not the best, mitigations that any organization can to do best reduce cybersecurity risk.

Here is the bare minimum you need to teach every employee.

If you are interested in everything…every policy…every technical defense…every best practice education hint…we can think of to best mitigate social engineering and phishing, try KnowBe4’s free Comprehensive Anti-Phishing Guide.

CISA’s phishing infographic lays out the facts on social engineering and phishing. Phishing is one of the most likely ways that hackers and their malware creations can sneak into your environment. Many untrained employees will open any phishing email they receive, and many will click on the embedded links or download the attached malware. Network protection defenses are very unlikely to stop it and endpoint detection products are far from perfect. The single best mitigation that every organization could work on to improve is security awareness training for their employees.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews