Information security consultancy The Intrepidus Group analyzed the results of 32 mock-phishing scenarios against 69,000 employees around the world, CEO Rohyt Belani told SCMagazineUS.com Monday. Belani presented findings of the study Monday during the InfoSec World Conference in Orlando, Fla.
Belani said that the percentage of employees vulnerable to spear phishing was “astounding.”
“Twenty-three percent sounds low, but think of the normal corporation with 5,000 employees -- you are talking about almost 1,200 vulnerable endpoints,” Belani said.
He added that if an attacker targets a number of people in an organization, at least one or two will click on a phishing email.
But Joshua Perrymon, CEO of PacketFocus, which provides penetration testing services, told SCMagazineUS.com on Monday that even 23 percent seems low.
“I would say 23 percent of people fall for generic phishing attacks,” Perrymon said. “We see around 70 percent response with directed attacks.”
Perrymon said technology is not playing much of a role in stopping targeted phishing attacks, so enterprises have to rely on user education and security awareness.
Among the other findings of Intrepidus' study: Men and women are equally susceptible to phishing attacks. Also, 60 percent of corporate employees who were susceptible to targeted spear phishing responded to the phishing emails within three hours on average.
The study also found that people are less cautious when clicking on links in emails than when they are requested to provide sensitive data. Additionally, phishing attacks are 40 percent more successful when they use an "authoritative tone," such as appearing to come from one's boss or the IT department, rather than coming from someone claiming to offer a reward.
“The culture of the U.S. is built on authority and this hold true in our jobs,” Perrymon said. “If you are told something with a power of authority, you are going to do what it says without looking farther into it.”
Perryman said this cultural trait is even more prevalent in China and Japan.
“Corporations need to continue focusing on making their employees aware of the threats,” Belani said.
And Belani said user education should be approached like a marketing exercise -- if users are nodding off, it will never be effective.
“You need to make it interesting and relevant to them,” Belani said.