Phishing attacks are proliferating—while getting costlier and more sophisticated. A recent report by KnowBe4 shows that, without employee training, the average business could face a one in three chance of compromise if targeted by phishers.
On July 12, 2022, KnowBe4 released the results of a study on businesses’ susceptibility to phishing attacks—studying, collectively, 9.5 million users across 30,173 organizations. The report compared 19 industries across small (1-249 employees), medium (250-999 employees), and large (over1,000 employees) companies. At issue? The likelihood of an employee clicking a phishing link.
The results could have been better. In the initial phase of the study, nearly one-third of users across all organizations studied (32.4%) fell prey to clicking a simulated phishing link.
“Workforces in every industry represent a possible doorway to attackers,” warns the report, “no matter how steep the investment in world-class security technology.”
The bigger they are, the harder they fall for phishing
Claiming to take cyber risk seriously does not necessarily translate to effective vigilance. For instance, KnowBe4 points to a 2021 study by the UK government that found that the industry that most commonly “attach[es] a higher priority to cybersecurity” is finance and insurance—with 72% of those firms claiming cybersecurity as a “very high priority,” compared to 37% of all businesses across all sectors. But KnowBe4 found that the organizations most prone to succumbing to a phishing attack were large insurance firms, with 52.3% of employees from those companies clicking a simulated phishing link—nearly 20 points higher than the study average.
Large banking organizations also had one of the worst phish-clicking performances in the study (43.5%), while small banking firms had one of the best (25.4%). Consulting firms saw a similar effect (52.2% among large consultancies and 27.5% among small consultancies).
On average, large organizations (35.2%) fared worse than did medium ones (30.2%), which overall fared worse than did small ones (28.8%)—although the reverse was true for consumer services, education, and government; government was overall the most inherently phishing-vigilant sector studied. Even in government agencies, however, more than one in five users fell for a simulated phishing attack.
The education sector, meanwhile, had the top failure rate among all industries in the small-organization category, at 32.7%.
The other most phishing-vulnerable sectors included those that people arguably depend on the most for their physical well-being: energy/utilities and healthcare/pharmaceuticals. Perhaps most appallingly, large energy and utility firms had a 50.9% failure rate.
“In critical industries like energy and utilities and healthcare and pharmaceuticals, where lives can be severely impacted, we found particularly high levels of cybersecurity risk as a result of simulated phishing test failures,” said Stu Sjouwerman, founder and CEO of KnowBe4. “With the steep cost of cyber attacks, this is deeply concerning.”
On the hook
KnowBe4’s report notes that the most common types of phishing crimes are two of the most high-priced ones: ransomware and business email compromise (BEC).
Phishing and ransomware go together like fish and chips. Just as ransomware is one of the most common phishing crimes, phishing represents one of the top three initial infection vectors for ransomware, according to the 2021 Internet Crime Report issued by the FBI’s Internet Crime Complaint Center (IC3).
In 2021, according to KnowBe4, the average ransomware payment was about $570,000; ransom demands can begin well into the millions. And all of this is to say nothing of the digital forensics and business continuity/disaster recovery (BC/DR) costs associated with a ransomware attack. IC3 reports just over $49 million in ransomware losses—with an asterisk.
“[T]his number does not include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by a victim,” notes IC3’s 2021 Internet Crime Report. “In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low overall ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents.”
As unfathomably expensive as ransomware losses are, however, BEC phishing attacks may be even costlier. In 2021, US companies sustained nearly $2.4 billion worth of BEC-related adjusted losses—topping out every other type of Internet crime listed in IC3’s 2021 report. (Investment fraud came in second, at less than $1.5 billion.)
And the phishing attacks keeping coming—and evolving. IC3 reports that phishing has been the top-reported crime (to IC3) each year since 2019. And the same day as the release of KnowBe4’s report, Microsoft announced having detected a “large-scale phishing campaign” that has attempted to target more than 10,000 organizations in a BEC scheme since September 2021.
“Phishing remains to be one of the most common techniques attackers use in their attempts to gain initial access to organizations,” wrote the Microsoft 365 Defender Research Team in its announcement. “And since credential phishing was leveraged in many of the most damaging attacks last year, we expect similar attempts to grow in scale and sophistication.”
The human element
It’s not all bad news, however. Just as phishing attacks are becoming ever wilier and more prolific, users and organizations can learn to up their vigilance game.
To this end, KnowBe4’s study also looked at the effects of anti-phishing training. Whereas Phase 1 of the study (described above) assessed organizations as they were, Phase 2 assessed those same organizations within 90 days of their employees completed their first anti-phishing training event, while Phase 3 reassessed after one year of ongoing anti-phishing training.
The difference in results was substantial. In Phase 2, only 17.6% of users failed a phishing test—just over half of the fail rate in Phase 1. KnowBe4 noted the most significant improvements in some of the worst performers—including small education organizations (46% improvement) and large insurance firms (67% improvement).
In Phase Three, only 5% of users failed a phishing test. All testing groups had failure rates under 10% after one year of continuous anti-phishing training.
- Large hospitality companies had the best anti-phishing posture throughout every phase of the study (20.4% failure at Phase 1, 12.2 percent failure at Phase 2, and 1.3% failure at Phase 3).
- Midsize transportation organizations had the highest Phase3 failure rate, at 9.6%.
- Oddly, whereas large government agencies had one of the best performances in Phase 1, at 24.8%, they had one of the worst performances in Phase 3, at 7.1%.
In any case, every category of organizations saw substantial improvements in their vigilance for phishing lures throughout phases 2 and 3—apparently demonstrating that user education is a critical cybersecurity component.
“Given that most data breaches originate from social engineering, we cannot afford to omit the human element,” Sjouwerman said. “Implementing security awareness training with simulated phishing testing will help to better protect organizations against cyber attacks and result in a more secure organizational culture.”