According to a new report, one in three emails that were flagged as suspicious by employees were a threat.

The “think before you click” cybersecurity training sessions are making a real difference as a third of emails reported by employees really are malicious or highly suspect. So, all that time ticking boxes in cybersecurity training sessions seems to be paying off according to a new report put together by the IT security company F-Secure. The team at F-Secure analysed over 200,000 emails from organizations across the globe in the first half of 2021 that were flagged by employees. During which they found that 33% of the reports could be classified as phishing.

Phishing attacks are deceptive messages that a hacker uses as they pose a large organisation, trying to lure a recipient to take some form of action. These attacks generally happen by email, by can be via SMS instant- messaging or social media platforms. That is to say, the primary goal is to trick the user into giving up their personal information or downloading malware. And the messages are designed by these hackers to look genuine. Phishing email accounted for over half of the infection attempts in 2020. 

Examples of phishing emails include:

  • can claim to be from the post office and ask the user to re-schedule a fake delivery
  • from the bank requiring some sort of update or confirmation
  • they sometimes look like they come from corporate departments.

Wherever they claim to be sent from, all the phishing emails are the same in the sense that they all urge the recipient to take- action by:

  1. clicking a link
  2. providing some sensitive information
  3. or downloading an attachment

As a result, it opens the way for a hacker to carry out an attack. 

Criminals want to use employees as a bridge to hack a company to target corporate emails and get a bigger payday. As a result, businesses are spending time, money, and effort on educating their staff, so the company doesn’t fall victim.

F-Secure report analysed on average 2.14 emails each during the period of the research from submissions from users. An organisation with 1,000 on average reported 116 emails per month. A suspicious link was the most common reason users gave when submitting to F-Secure, prevalent in 60% of the cases. While spotting incorrect or unexpected senders followed closely behind. Lastly users submitted suspicious attachments and suspected spams as other reasons to report.

Meanwhile a few words and phrases mean there’s a high risk of phishing, according to F-Secures analysis. For instance, words and terms such as “Warning”, “Your funds has” or “Message is for a trusted”. 

In other words, most phishing emails play on our emotions to lure us in to take the bait. It’s a common tactic in phishing emails designed for us to click on that bad link. And we fall for it at times as it’s the most intuitive and easiest thing to do when our emotions are involved.

Therefore, there is always a risk that employees will be deceived even with regular cybersecurity training and reminders. The response rate according to previous research shows that the it is 20% on average among staff and a higher average for click rates found for phishing simulations that contain authority or urgency clues. Test yourself, can you spot a scam?

But the new study from F-Secure’s shows that when it comes to spotting phishing emails employees have a good eye. F-Secure director of consulting, Riaan Naude says, it’s often said that “people are security’s weak link” without considering the benefits of using staff as the “first line of defence for the company. And goes on to say that “Employees can catch a significant number of threats hitting their inbox if they can follow a painless reporting process that produces tangible results.” 

However, Naude does point out that the additional work for cybersecurity teams that are already swamped is affected by the increase in employee-led efforts in the field of cybersecurity. This happens as the number of emails reported by employees rises.

Cybersecurity teams have effectively had to adapt to the rise of remote working since the outbreak of COVID which has hugely expanded the attack surface that hackers can target. Malicious hackers were able to target corporations even more aggressively as new working practices were deployed in a hurry. That is to say, there was a reduced level of monitoring activity by corporations and malicious hackers were able to exploit that fact.

Removing about 1.4 million URLs responsible for 700,000 online scams last year was the UK’s National Cyber Security Centre’s (NCSC). But note that was more content in a year that was removed than the previous three years combined

If you and your staff need cybersecurity training to reinforce your first line of defence for the company, get in touch with Rock IT today. To “think before you click” so you aren’t successfully hacked.

Want insights like this in your mailbox? Join our monthly mailing list

How can we make your business better with IT?