Are employees the weakest link in your security strategy?
Email is the number one threat vector. A great email security solution can block the majority of threats, but no product can catch a hundred percent of email scams. This means that humans are our last line of defense.
Save to Folio
Email is the number one threat vector. There’s no exception, even with a global pandemic. On the contrary: Covid-19 has been used as an appealing hook by cybercriminals. Data from Trend Micro Smart Protection Network shows that for the first five months of 2020, 92% of all the cyberthreats leveraging Covid-19 were spam or phishing email messages.
Email scams can have a big impact, both on the organization and the individual. This was highlighted in a recent report from BBC News where a finance professional from Glasgow, Scotland was targeted by a business email compromise (BEC) scam. The hackers disguised themselves as the employee’s CEO and managed to convince her to transfer 200,000 British pounds (approximately US$261.95 as of writing) to their bank account. When the organization realized what happened, they were able to retrieve half of the loss. However, the employee was fired and then pursued in the courts for the remaining sum. Her lawyers argued successfully that she had not received any training to identify these scams and the case was subsequently dismissed. This took a big personal toll on the employee who not only lost her job, but worried about losing her home as well. Her employer suffered financially and their reputation also took a hit. There were no winners in this case, but it really emphasized the importance of security awareness; companies need to arm their employees with the knowledge to protect the business and ultimately, themselves.
A great email security solution can block the majority of threats, but no product can catch a hundred percent of email scams. This means that humans are our last line of defense.
Trend Micro™ Phish Insight service helps you to increase your employees’ awareness of phishing emails and other cyberthreats. Best of all, it is completely free, allowing you to increase your cybersecurity while using this budget for other critical initiatives.
Customer use case
A Phish Insight customer in the US launched two phishing simulation campaigns for 1,500 employees in the first half of 2020. The two campaigns were four months apart and targeted the same employees.
The first campaign was a fake email from CDC with a link that claimed to check new Covid-19 cases. It asked for the user’s login information after the link is selected.
The second campaign is an email pretending to be from the organization’s IT department. It requested users to verify their account due to a Microsoft 365 (formerly called Office 365) inbox storage limitation.
Both emails are very realistic with important and engaging topics that users care about.
So, what do the results look like?
Among the employees getting the emails, the results of the two campaigns show a positive behavior change in recognizing a phishing email:
- The percentage of employees that clicked the embedded URL in email reduced significantly (11% versus 7%)
- The percentage of employees that reported the phishing email to IT increased significantly (11% versus 24%)
However, when introducing a more challenging phishing attack (in the second campaign), the percentage of employees who posted their credentials to the phishing site significantly increased (0.3% versus 3.4%). While the company’s overall phishing awareness increased (shown by reduced clicks), those who fell victim also had a higher chance of giving out their credentials.
The results also show that back-office teams have a higher percentage of phished employees and that ongoing training is important. In addition to continuing phishing awareness training for all employees, the IT department should focus more on back-office teams.
Using Phish Insight, the company successfully increased employees’ awareness while being able to target more at-risk user groups and identify those that need more help.
Want to train your organization?
To start a phishing simulation for your users, you need zero budget and only five minutes. With a really simple user experience, you can get up and running with your first simulation today.
Try Phish Insight with no obligation: phishinsight.trendmicro.com