The One Stat That Lets You Know You Need Help Stopping Phishing Attacks
Quick Answer
A UK survey of 1,000 users by Computer Disposals Limited (cited by KnowBe4) found 95 percent failed to correctly identify all 10 of a mixed set of legitimate and phishing messages, and only 44 percent correctly identified all the legitimate ones even when erring toward delete. Only 5 percent could spot every phish. With hundreds of phishing emails per employee per month, a 5 percent recognition rate at the user layer means the organization is breached on schedule, not by accident. Awareness training raises the rate but caps near 98 percent under continuous instruction, and 2 percent of hundreds is still many successful phishes per year. Cloud-based phishing protection with real-time link click analysis costs roughly the same or less than training (around 45 cents per user per month), deploys in about 10 minutes, and stops the email before the user has to make any decision.
There are a lot of companies that depend on their employees to stop phishing attacks. In effect, their employees are their last line of defense. Seeing as how the cost of phishing attacks is now in the tens of billions of dollars per year (nobody knows the exact amount since victims are so reluctant to come forward), it seems like the employees stopping phishing attacks thing isn’t working too well. And now we know why.
From KnowBe4, “According to a recent poll of 1,000 U.K. users U.K.’s Computer Disposals Limited asked to identify whether an email or text was legitimate or not by choosing to either click the provided link or delete the message, 95% of them failed to properly identify all 10 examples. Even when simply erring on the side of caution and choosing to delete messages rather than engage with them, only 44% identified the authentic messages.”
That’s right, 5% of users couldn’t tell a malicious email from a safe one. And that’s the last line of defense. That’s the one stat that lets you know you need help stopping phishing attacks.
There are two things to be taken from that number: users aren’t particularly good at identifying phishing emails and phishing emails are hard to detect. “This quiz demonstrates that it’s very difficult these days to spot the fake message from the real one. The really bad part of this is the examples provided don’t even use real logos (e.g., “PayMe” instead of “PayPal”), making us lose confidence in an untrained user’s ability to easily differentiate between what’s business-related and what’s a phish.”
One source of help stopping phishing attacks is to train your employees to spot phishing emails. That’s a good choice, but it’s not perfect. We know from research that even with heavily trained employees, 2% of phishing emails get through. Unfortunately, it only takes one to put your entire company at risk and with hundreds of phishing emails arriving each month, you won’t make it through the month if all you do is employee awareness training.
Another, more effective source of help, is to deploy cloud-based Phishing Protection software with real-time link click analysis like that available from DuoCircle. Not only does Phishing Protection do a better job against phishing emails than employee training, but in most cases, at just 45₵/mo per user, it costs less too.
Phishing Protection is also a faster fix. While it could take months to train all your employees, protecting all your employees with Phishing Protection takes about 10 minutes.
It’s cheaper, it’s faster and it’s more effective. If the 5% number scares you and you want to do something about it, your best bet is Phishing Protection from DuoCircle. You can try it free for 60 days.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.