We had a data scientist take a look at more than 4 years of aggregated clicking data and he came up with some interesting results, expressed in graphs. Here are some of the highlights:
When we looked at the sophistication of the phishing templates:
We have assigned a difficulty rating to each template from 1 to 5, where 5 has the highest difficulty/sophistication, and we recommend you start your users on rating 1 and over time build up to level 5. You can assign these ratings to your own templates as well. Here is an example how this looks for the system templates in the Banking category:
Next, when do people click on phishing emails? Each day is broken out in two 12-hour sections, to account for day and night. Wednesday is the time to launch phishing campaigns.
Now, what time of the day are people clicking? This correlates with when simulated phishing attacks are being sent by our customers, which appears to be during the afternoon. 
How fast are people clicking on phishing links? Pretty fast! More than half of them click in the first 60 minutes!
These last numbers are confirmed by several other studies in the industry. Once a message makes it though all the filters, there is no time for antivirus to update itself. Remember that the bad guys have labs with all the popular commercial security products you have running, and test, test, test until their social engineering attacks come through. It's a really good idea to create a human firewalll as your first line of defense.
Find out how affordable effective security awareness training is for your organization and be pleasantly surprised.
Related Pages: Phishing
