Fortra’s Terranova Security 2022 Gone Phishing Tournament results reveal large organizations at highest risk of compromising data

Photo: CNW Group/Fortra’s Terranova Security.

LAVAL — The new Phishing Benchmark Global Report, based on the 2022 Gone Phishing Tournament hosted by Fortra’s Terranova Security, reveals that large organizations of 10,000 employees or more are most susceptible to phishing attacks promising a gift, despite potentially having access to more cyber security resources than smaller businesses.

Co-sponsored by Microsoft, the annual tournament measures and evaluates how employees respond to one of the most common types of cyber threats – phishing attacks. The 2022 Phishing Benchmark Global Report results emphasize the growing need for all organizations to implement engaging and informative security awareness training programs. Ideally, those programs would leverage real-world phishing simulations to ensure employees are aware of the latest phishing tactics, can detect and report cyber threats and, in time, change unsafe online behaviors.

According to the report, many employees are still prone to answering requests for sensitive information – even when they come from unknown or suspicious email senders. This level of trust leaves an organization’s confidential data vulnerable to hackers.

“Cyber threats continue to grab headlines worldwide, so it’s encouraging to see improvement from last year’s phishing simulation. However, let’s not forget how, based on their context, each phishing scenario may convince a different set of users to click. There’s definitely still work to do with regards to helping organizations build and grow security-aware cultures,” said Theo Zafirakos, CISO at Terranova Security. “As the Phishing Benchmark Global Report also shows, it’s difficult for some organizations, especially with a significant employee base, to educate employees and reinforce cyber security best practices. This is most true in a remote-first environment.”

Seven per cent of all end users who participated in the 2022 phishing simulation clicked on the link in the phishing email. In addition, three per cent of all end users failed to recognize the warning signs of the simulation’s webpage and proceeded to enter their credentials on the malicious webpage.

Despite the seemingly low totals, this year’s form completion rate poses a cause for concern. Globally, 44 per cent of those who clicked on the phishing simulation link eventually completed the web form on the subsequent webpage and submitted their login credentials.

“To put these numbers into perspective, if an enterprise-level organization of 10,000 employees had been targeted with a phishing scam like the one depicted in the simulation,” said Zafirakos. “700 employees would have clicked on the phishing link, and over 300 of those clickers would have entered their password, which can be used to compromise systems and sensitive information. Given our reliance on online systems and data to conduct many business transactions and services, this reality is concerning.”

The simulation found that employees from large organizations are most susceptible to phishing attacks. According to participant data, organizations with 10,000 employees or more rarely missed security awareness training, indicating a potential lack of effectiveness.

For click rates by industry, nonprofit, education, manufacturing, and food and agriculture exhibited the highest totals, all scoring over 6 percent. Meanwhile, participants from the public sector, energy, and finance industries kept their click rates under 3.5 per cent.

The consumer products space had the highest form completion rate across all industries, with 40 per cent of those who clicked on the initial phishing link eventually entering their credentials on the malicious webpage.

Europe was the top performer of the five regions represented, claiming the lowest email link click and form completion rates. North America, the top-performing region in 2021, slotted into second place.

“The results from this year’s Gone Phishing Tournament underscore the importance of taking a human-centric approach to security awareness training and content,” said Brand Koeller, Principal Product Manager, Microsoft Defender. “Technical safeguards alone can’t guarantee information security. Addressing the human risk factor should be a top priority for all organizations.”

The 2022 Gone Phishing Tournament took place in October to coincide with Cybersecurity Awareness Month. With over 250 participating organizations and over 1.2 million phishing emails sent out during this year’s event, it was one of the largest phishing simulations of its kind. The increase in the participation rate shows phishing is a major concern for many organizations considering the ever-evolving complex nature of real-world cyber threats.

Microsoft supplied this year’s email and webpage templates designed to imitate a real-world scenario that many employees experience: a gift card scam. The scenario, selected by the Terranova Security leadership team, measured several end-user behaviors, such as clicking on a link in the body of a phishing email and entering credentials into a form on a phishing webpage.
If users clicked on the link in the phishing simulation’s email, they were redirected to a landing page, which prompted them to enter credentials that, had the simulation been an actual attack, would have been compromised. If users completed this second step, they were brought to a phishing simulation feedback page highlighting the warning signs they missed and the best practices they should follow.

Though the 2022 Gone Phishing Tournament simulation was deemed easier than in previous years, the click rate and web form submission rate should still be considered high as a result. Download the 2022 Phishing Benchmark Global Report to get all the results and facts from the latest edition of the Gone Phishing Tournament.