Woburn, MA – June 27, 2022 — Phishing simulator data from Kaspersky’s Security Awareness Platform shows that workers tend to not notice pitfalls hidden in emails devoted to corporate issues and delivery problem notifications, with one in five (16% to 18%) clicking the link in the email templates imitating these phishing attacks.
According to estimates, 91% of all cyberattacks begin with a phishing email, and phishing techniques are involved in 32% of all successful data breaches.
To provide further insight into this type of threat, Kaspersky analyzed data gathered from a phishing simulator provided voluntarily by users. Integrated into Kaspersky Security Awareness Platform, this tool helps companies check if their staff can distinguish a phishing email from a real one without putting corporate data at risk. An administrator chooses from the set of templates, mimicking common phishing scenarios or creates a custom template, then sends it to the group of employees without pre-warning them and tracks the results. A large number of users clicking the link is a clear indication that additional cybersecurity awareness training is required.
According to recent phishing simulation campaigns, the five most effective types of phishing email are:
Other phishing emails that gained a significant number of clicks include reservation confirmations from a booking service (11%), a notification about an order placement (11%), and an IKEA contest announcement (10%).
Alternatively, emails that threaten the recipient or offer instant benefits appeared to be less “successful.” A template with the subject “I hacked your computer and know your search history” gained 2% of clicks, while offers for free Netflix and $1,000 by clicking a link tricked just 1% of employees.
“Phishing simulation is one of the simplest ways to track employees’ cyber-resilience and evaluate the efficiency of their cybersecurity training. However, there are significant aspects that must be considered when conducting this assessment to make it really impactful,” comments Elena Molchanova, head of security awareness business development at Kaspersky. “Since the methods used by cybercriminals are constantly changing, the simulation has to reflect up-to-date social engineering trends, alongside common cybercrime scenarios. It is crucial that simulated attacks are carried out regularly and supplemented with appropriate training – so users will develop a strong vigilance skill that will allow them avoid falling for targeted attacks or so-called spear phishing.”
To prevent data breaches, and any related financial and reputational losses caused by phishing attacks, Kaspersky recommends the following for businesses:
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
 Statistics are based on the results of 29,597 employees from 100 countries. Not all available phishing templates were sent to each employee. Presented data includes templates sent to more than 100 users. Phishing simulation campaigns were held between January 2021 – May 2022.