Why do staff still click phishing emails?

Even though almost half of office workers have suffered data compromises the vast majority still claim to be able to spot a phishing email. We explore why.

A report by Webroot found that although more than three-quarters (79%) of the 4,000 surveyed working professionals claimed they could spot the difference between a phishing email and a genuine one, nearly half of them (49%) admitted to clicking links from an unknown sender. Something about those numbers doesn’t quite add up…

The survey, entitled “Hook, Line and Sinker: Why Phishing Attacks Work“, studied workers around the world in pursuit of a concrete answer to the simple question “Why do workers still click phishing emails?”.

Nearly half the respondents (48%) had experienced personal or financial data compromise as the result of a successful breach. Incredibly though, 35% of the affected workers didn’t go as far as to change their passwords afterwards.

The fact that 29% of workers admit to clicking unknown links more than once is a concerning indication that cyber security is just not high on the priorities of workers.

This could simply be down to a diffusion of responsibility often seen within large organisations, but believing that someone else will deal with the consequences of a costly data breach rarely holds up when facing charges of gross negligence.

The need for a culture shift is made very clear, too much emphasis is put on tasks offering immediate rewards, good cyber security hygiene is not a practise that is often publicly rewarded. In fact, the extra time it takes to thoroughly scan the 52 emails that an average worker receives each day would regularly be seen as time wasted…until an organisation finds itself the victim of a successful data breach.

Security and productivity are always in a tradeoff. People put off security because they are too busy doing something with a more ‘immediate’ reward. These findings illuminate the pertinent need for a mindset makeover, where the longer-term reward of security doesn’t get put on the back burner

Cleotilde Gonzalez Ph. D – Research Professor, Carnegie Mellon University

With regards to what sender an employee was most likely to open an email from first, almost two-thirds (60%) of respondents reported their boss as the highest priority. This further bolsters the use of CEO fraud by hackers, which continues to grow in popularity.

Phishing attacks continue to grow in popularity because, unfortunately, they work. Hackers and criminals weaponize the simple act of clicking and employ basic psychological tricks to inspire urgent action. It is vital that consumers educate themselves on how to protect both their personal and financial data and what steps to take if their information is compromised or stolen.

For businesses that means implementing regular simulated phishing and external attacks that address the various ways hackers attempt to breach organizations through their users. By combining the latest detection, protection, prevention and response technology with consistent attack training and education, IT Security departments can tackle the people, process and technology combinations needed to successfully mitigate attacks.

George Anderson – Product Marketing Director, Webroot

This adds significant emphasis to the growing need organisations have for effective simulated phishing and Security Awareness Training.

At Phishing Tackle, we strongly believe that Security Awareness Training should not be reserved only for organisations with fat security budgets, but that it is a basic necessity of all firms and should be priced accordingly.

Recent posts