Large organizations are most susceptible to phishing attacks: survey

Findings show training should leverage practical hands-on exercises

Large organizations are most susceptible to phishing attacks: survey

Large organizations of 10,000 employees or more are most susceptible to phishing attacks promising a gift, despite potentially having access to more cyber security resources than smaller businesses, according to a new study.

The new Phishing Benchmark Global Report emphasizes the growing need for all organizations to implement engaging and informative security awareness training programs. Ideally, those programs would leverage real-world phishing simulations to ensure employees are aware of the latest phishing tactics, can detect and report cyber threats and, in time, change unsafe online behaviors.

According to the report, based on the 2022 Gone Phishing Tournament hosted by Fortra’s Terranova Security, many employees are still prone to answering requests for sensitive information – even when they come from unknown or suspicious email senders. This level of trust leaves an organization’s confidential data vulnerable to hackers.

“Cyber threats continue to grab headlines worldwide, so it’s encouraging to see improvement from last year’s phishing simulation,” says Theo Zafirakos, chief information security officer at Terranova Security. “However, let’s not forget how, based on their context, each phishing scenario may convince a different set of users to click.”

Seven percent of all end users who participated in the 2022 phishing simulation clicked on the link in the phishing email. In addition, three percent of all end users failed to recognize the warning signs of the simulation's webpage and proceeded to enter their credentials on the malicious webpage.

Despite the seemingly low totals, this year's form completion rate poses a cause for concern, according to Terranova. Globally, 44 percent of those who clicked on the phishing simulation link eventually completed the web form on the subsequent webpage and submitted their login credentials.

“To put these numbers into perspective, if an enterprise-level organization of 10,000 employees had been targeted with a phishing scam like the one depicted in the simulation, 700 employees would have clicked on the phishing link, and over 300 of those clickers would have entered their password, which can be used to compromise systems and sensitive information," said Zafirakos. "Given our reliance on online systems and data to conduct many business transactions and services, this reality is concerning.”

The simulation found that employees from large organizations are most susceptible to phishing attacks. According to participant data, organizations with 10,000 employees or more rarely missed security awareness training, indicating a potential lack of effectiveness.

 The 2022 Gone Phishing Tournament – co-sponsored by Microsoft – took place in October, 2022 to coincide with Cybersecurity Awareness Month. There were over 250 participating organizations and over 1.2 million phishing emails sent out during this year’s event.

Recent articles & video

Register for November’s 2024 Lexpert Rising Star Awards

Billion-dollar deals, including Couche-Tard’s new higher buyout offer, top this week’s roundup

SCC takes flexible approach to corporate attribution doctrine in bankruptcy and insolvency cases

Understanding sustainable finance key for attracting global capital to Canada: Dentons partner

Supreme Court of Canada to hear three first degree murder cases next week

Ontario Court of Appeal dismisses motion to appeal interim vaccination order in child custody case

Most Read Articles

Ontario Superior Court refuses to remove estate trustees despite breach of fiduciary duties

Ontario Superior Court voids financial transfers for failing to rebut presumption of resulting trust

Legal industry managers expect pay for lawyers, other industry professionals to rise: report

Alberta Court of King’s Bench dismisses habeas corpus application in child custody dispute