A long-term phishing study involving 6 healthcare institutions shows employees are vulnerable to phishing attacks, and that they can become more vigilant through exposure.
Phishing testing is something near and dear to our heart here at KnowBe4. It’s a great way to both understand where your organization’s weakest points are and presents an opportunity to educate your users about the dangers of phishing emails, improving your overall security stance
Researchers spent 7 years, 2,971,945 emails and 95 separate campaigns studying employee engagement with simulated phishing emails trying to understand why and how often they open.
Using a combination of business, IT, and personal email topics (see below), employees were subjected to phishing tests to determine whether they would take the bait and click on embedded links.
The results were surprising: According to the report, the phishing campaigns had a median click rate of 16.7%. To give you a point of reference, according to email vendor MailChimp’s annual Email Marketing Benchmarks report, the average click rate for normal advertising across all industries is only 2.43%!
So, is there any good news in all of this?
Yes! Also noted in the report was the decrease in click rates over time as employees were subjected to additional phishing emails. In essence – like most of us – as the employee learned how to spot a fake email, the odds of them clicking on a subsequent phishing email dropped by 67%!
In essence, this study helps to make the case that an educated employee is a much more secure employee. In the study, employees learned through experience interacting with the phishing campaigns. So, imagine instead of the organization were to purposely train them on what to look for, how the bad guys try to trick them, what to do should they encounter a real phishing attack, and how to avoid becoming a victim.
That’s what Security Awareness Training is all about.