Phishing is one of the biggest threats that any organization faces today. An estimated 80% of companies say that they experienced an increase in the number of phishing attacks they faced in 2021, and no one expects that to slow down anytime soon. The precursor to damaging cyberattacks like business email compromise, ransomware, account takeover and more, a strong defence against phishing is an important foundational element of any strong cyber defence. These phishing facts help illustrate the importance of building a strong defence against phishing.

That’s what makes employee behaviour around phishing so critical to keeping organizations safe from cybercrime. Unfortunately, employee behaviour can be unpredictable, and employees will inevitably make mistakes. Human error causes, like an employee opening a dodgy email, are responsible for an estimated 90% of security breaches at organizations of every size according to IBM’s X-Force Threat Intelligence Index. Learning more about employee behaviour and the insider risk of phishing can help keep organizations away from phishing trouble.

10 Phishing Facts About Dangerous Employee Behavior:

1. One-fifth of employees in a study interacted with spurious emails.
2. 45% of employees click emails they consider to be suspicious “just in case it’s important.”
3. 1 in 3 employees is likely to click the links in phishing emails.
4. 41% of employees failed to notice a phishing message because they were tired.
5. 47% of workers cited distraction as the main factor in their failure to spot phishing attempts.
6. 30% of phishing messages get opened by targeted users.
7. 1 in 8 employees is likely to share information requested in a phishing email.
8. 60% of employees opened emails they weren’t fully confident were safe.
9. 45% of employees never report suspicious messages to IT for review.
10. 97% of employees cannot spot a sophisticated phishing email.

It´s a Sad but True Phishing Fact: Employees Encounter Brand Fraud and Spoofing Every Day:

Every day, employees receive an ever-growing volume of email messages, and how those messages are handled can make or break a company’s security and budget. Especially when those messages are phishing attacks – an estimated 65% of insider threat incidents are caused by employee actions around phishing. Many of those email messages are supposedly from well-known brands. But not all of those messages are trustworthy.

Brand impersonation is a common cybercriminal tactic – 25% of all branded emails that companies receive are spoofed or brand impersonation attempts. Traditionally Microsoft holds the top spot. But DHL surpassed them at the end of 2021. Microsoft came in at number two, the brand that cybercriminals mimicked for one-fifth of phishing schemes. Communication juggernaut WhatsApp came in third with Google just on its heels. LinkedIn is still a cybercriminal go-to, but Facebook (now going by Meta) dropped out of the top 10 in 2021.

Where are the bad guys sending those messages inside an organization? A phishing study shows that the answer is: All over the place. No department is safe from the enticements of sophisticated phishing messages. Surprisingly  75% of the respondents indicated that the targets of many phishing attempts were IT staffers themselves, who you’d think would be savvy to these attacks, except 40% of those IT staffers fell for the bait.
Departments Most Likely to Be the Target of Phishing:

% of total attacks a business experiences

1. IT = 75%
2. Sales =35%
3. Executives = 27%
4. Marketing = 25%
5. Customer Support = 21%

Ransomware attacks commonly start with a phishing message. IC3 received 3,729 complaints identified as ransomware in 2021, a 51% increase over the 2020s 2474. Those complaints also cost victims a lot more money than in previous years. Ransomware victims suffered losses of more than $49.2 million. That’s a 69% increase over the $29,157,405 recorded in 2020.

By far the most financially damaging potential result of phishing is business email compromise (BEC). The FBI declared it 64x worse than ransomware for businesses. There was a 28% growth in BEC losses between 2020 and 2021. The BEC/EAC category clocked in at a painful $2,395,953,296 in losses. That’s an average loss of $120,000 per victim, compared to last year’s $96,700 per victim. Investment scams rolled in second place, up an astonishing 333% over 2020.

Source: ID Agent