Phishing remains a ‘basic, viable, and effective’ threat – even against those who should know better

The success rates of phishing attacks vary markedly between organizations from different sectors, according to a new study from NCC Group.

Targets in charities, for example, were found to be more than three times more likely to click on simulated phishing emails than their counterparts in the healthcare sector.

The top three sectors by click-through rate were charities, IT services, and the local public sector.

The IT services sector had a high click-through rate, even though workers in the industry might be expected to have a greater awareness of the phishing threat.


In a blog post, NCC Group consultant Simon Palmer suggested that IT workers were possibly clicking on suspicious links out of overconfidence “that they could handle whatever problem was thrown at them”.

By contrast, the three sectors with the lowest click-through rates were retail, healthcare, and financial services, with both healthcare and retail having fewer than 10% of targets succumb to malicious emails disguised as originating from a trusted source.

NCC Group analyzed data from more than 1,300 simulated phishing campaigns involving more than 360,000 emails across a wide customer base.

This data, collated using the security company’s Piranha phishing simulation platform, included clicked link counts and the number of credentials entered.

Risky clicks

It turns out that the tricky part of mounting a successful phishing campaign is getting intended targets to click on a link.

Once clicked, however, half of all targets were likely to supply credentials regardless of which industry sector they worked in, NCC Group discovered.

“Phishing remains a basic, viable, and effective threat,” Palmer said.

The security researcher advises organizations to use mitigation strategies including the deployment of two-factor authentication alongside account misuse detection technology and awareness training to defend against the threat.

Cyber breaches survey

The UK government’s recently released Cyber Security Breaches Survey 2020 reported more incidents of phishing set against a backdrop of a lower percentage of malware-based attacks.

Over the last three years, the number of businesses experiencing phishing attacks rose from 72% in 2017 to 86% this year. This contrasts with a fall in those targeted with viruses or other malware over the same period (down from 33% to 16%).

Almost half of businesses (46%) and a quarter of charities (26%) reported falling prey to cybersecurity breaches or attacks in the last 12 months.

These figures were higher among medium-sized businesses (68%), large businesses (75%), and high-income charities (57%).

Home-working security

Many are working from home because of the Coronavirus crisis. Palmer told The Daily Swig that this may have an effect on phishing attacks in the short term.

“Employees working from home may be more susceptible to carefully-crafted phishing emails, as there are less opportunities to walk across the office and verify any out-of-the-ordinary requests,” Palmer said.

“The most important piece of advice that applies to all people, whether they’re working from home or accessing personal emails, is to remain vigilant. Be wary of any email, SMS or other form of communication that asks you to provide sensitive information or click through a link to input details.

"In the first instance, keep an eye out for typical phishing attack markers, such as errors in the sender’s email address, spelling mistakes in the email and spoofed links. If you are still unsure, it’s good practice to check in with a known contact to clarify if it’s a genuine communication," he added.

In some circumstances, people at work might be more likely to fall victim to phishing attacks than consumers, according to Palmer.

“It’s important to remember that anyone can be caught out by sophisticated phishing scams,” the security consultant explained.

“While cybercriminals may seek to take advantage of the fact that people are working remotely and already communicating more via email, they may also be preying on fear caused by COVID-19 to target vulnerable groups of consumers.”

"However, it is possible for workers to be deceived by phishing attempts as attackers often use information about the workplace to make the scam more convincing. Therefore, it’s even more important for workers to be aware of how they might be targeted," he concluded.

READ MORE INPS hack: Italy’s social security website back online following cyber-attack claims