Are employees the weakest link in your security strategy? Train them!

Email is the number one threat vector. There’s no exception, even with a global pandemic, on the contrary: COVID-19 has been used as an appealing hook by cyber criminals. Data from Trend Micro Smart Protection Network shows that for the first five months of 2020, 92 per cent of all the cyber threats leveraging COVID-19 were spam or phishing email messages.

Email scams can have a big impact, both on the organization and the individual. This was highlighted in a recent report from BBC News where a finance professional from Glasgow, Scotland was targeted by a business email compromise scam. The hackers disguised themselves as the employee’s CEO, and managed to convince her to transfer £200k to their bank account. When the organization realized what happened, they were able to retrieve half of the loss. However, the employee was fired and then pursued in the courts for the remaining sum. Her lawyers argued successfully that she had not received any training to identify these scams and the case was subsequently dismissed. This took a big personal toll on the employee who not only lost her job, but worried about losing her home as well. Her employer suffered financially and their reputation also took a hit. There were no winners in this case, but it really emphasized the importance of security awareness; companies need to arm their employees with the knowledge to protect the business, and ultimately themselves.

A great email security solution can block the majority of threats, but no product can catch 100 per cent of email scams. This means that humans are our last line of defense. Trend Micro Phish Insight service helps you to increase your employees’ awareness of phishing emails and other cyber threats. Best of all, it is completely free, allowing you to increase your cybersecurity while using this budget for other critical initiatives.

Let’s take a look at a customer use case:

A Phish Insight customer in the U.S. launched two phishing simulation campaigns for 1,500 employees in the first half of 2020.  The two campaigns were four months apart and targeted the same employees.
The first campaign was a fake email from CDC with a link that claimed to check new COVID-19 cases. It asked for the user’s log-in information after the link was clicked.

The second campaign is an email pretending to be from the organization’s IT department. It requested users to verify their account due to an Office 365 inbox storage limitation.

Both emails are very realistic looking with important and engaging topics that users care about.

So, what do the results look like?

Among the employees getting the emails, the result for the two campaigns shows a positive behavior change in recognizing a phishing email.

  • Percentage of employees that clicked the embedded URL in email reduced significantly (11 per cent vs. 7 per cent)
  • Percentage of employees that reported the phishing email to IT has increased significantly (11 per cent vs. 24 per cent)

However, when introducing a more challenging phishing attack (the 2nd campaign), the percentage of employees who posted their credentials to the phishing site has significantly increased (0.3 per cent vs. 3.4 per cent). While the company’s overall phishing awareness increased (reduced clicks), those who fell victim had a higher chance of giving out their credentials.

The result also shows that back office teams have a higher percentage of phished employees and the importance of on-going training. In addition to continuing phishing awareness training to all employees, the IT department will focus more on back office teams.

Using Phish Insight, the company successfully increased employees’ awareness while being able to target more at risk user groups and identify those that need more help.

Want to train your organization?

To start a phishing simulation for your users, you need $0 budget and only five minutes. With a really simple user experience, you can get up and running with your first simulation today.

Try Phish Insight with no obligation: phishinsight.trendmicro.com