Industries with the Highest Risk Phish Response
Phishing is the most common cyber-attack vector, no matter what type of organization is in the sights of a cybercriminal. However, some industries are more prone to the risk of phishing than others. A study from TitanHQ that explored the effectiveness of automated simulated phishing, "2023 Automated Phishing Simulation Success Report," captured the best and worst industries for phishing susceptibility. The report covered a year of metrics from regular phishing simulation exercises, analyzing the data to find out which industries are the most and least susceptible to phishing.
What Happens when Phishing Susceptibility is High?
According to IBM, phishing is the most commonly used vector to initiate or carry out a cyber-attack, and it is increasing: the Anti-Phishing Working Group (AWPG) records phishing websites often associated with phishing emails. The latest research from the AWPG covering Q1 2023 identified 1,624,144 phishing attacks, describing the situation as "This is a record high -- the worst quarter for phishing that APWG has ever observed.”
Phishing is at a severe threat level across sectors of all types, all sizes, and all geographic locations. Phishing leads to data exposure, lost login credentials, and malware infection, including ransomware attacks. Phishing also has a role in Business Email Compromise; phishing can result in significant financial losses because of deep infiltration of a network caused by login credentials stolen via phishing-related incidents.
TitanHQ’s report into automated phishing simulations and phishing susceptibility looks at some of the most prevalent and damaging cyber-attacks that use phishing. For example, 36% of data theft incidents use phishing to initiate the attack, according to the Verizon Data Breach Investigation Report 2023.
The TitanHQ study is based on phishing simulation metrics. These metrics are used to calculate Phish Vulnerable Percentage industry standards and SMSish Prone Risk (PVP and SPR). The resulting scores show the relative vulnerability to phishing in a given sector, company size, and geographic location.
Did You Know?
in phishing susceptibility with SafeTitan
of employees share passwords
estimated global cybercrime cost
of data breaches involved a human being
Once analyzed, these metrics provided insight into how vulnerable an organization is to phishing. The results were divided into two sets, with five industry sectors in each group: the industries with the highest risk phish response and those with the lowest risk phish response. Insight into phishing vulnerability matters as it can indicate how likely your organization will become a victim of a successful cyber-attack. The TitanHQ report is based on ten industries. Each company within an industry sector was scored, and then this score was used to build up a profile of phishing vulnerability based on the industry sector:
The Ten Industries
The ten industry sectors that were used to generate insightful metrics are shown below:
- Real Estate
- Employment
- Manufacturing
- Transportation
- Air Transportation
- Biotechnology
- Aerospace
- Accommodations
- Auto
- Government
Phishing simulation metrics output from fake phishing sessions were collected from companies within one of the ten industry sectors. These metrics were used to calculate the PVP, finding the average per sector. These companies took part in automated phishing simulation exercises over 12 months. The regular fake phishing sessions, carried out to test employees' reactions when receiving the simulated phishing email, came from the phishing simulation platform SafeTitan. These metrics represented typical behaviors of an individual confronted by a phishing email. At the end of the study, the phish vulnerability score was calculated across the ten industries. Here is a look at the top five riskiest industries for phishing vulnerability.
Biotechnology, aerospace, accommodations, auto, and government sectors are the most susceptible to phishing attacks.
The Five Highest-Risk Industries for Phishing
Out of the ten industry sectors tested for phishing vulnerability, the following came out as the riskiest:
1. Biotechnology (32.33%)
2. Aerospace (25.21%)
3. Accommodations (21.38%)
4. Auto (23.33%)
5. Government (22.34%)
The scores in brackets show the starting point for phishing vulnerability, i.e., the initial PVP. Biotechnology was the riskiest industry, with a high risk of an employee clicking a malicious link or downloading an infected email. Similarly, the other four most risky industry sectors were at an increased risk of a successful phishing incident.
A fascinating insight came from comparing the PVP scores average across the ten industries. At the start of the experiment, the average PVP score across the ten sectors was 11.03%; this reduced to an average of 8.78% 12 months later.
This overall average is in sharp contrast to the average for the five most phish-vulnerable sectors, which was 24.92% at the start of the experiment and increased to 25.14 at the end; these five worst-performing industries were much more likely to fall victim to a phishing incident and related cyber-attack. The best improvement was seen in government, although the PVP score at 21.74% after 12 months was still high. Even after 12 months, when the SVP was re-evaluated for all five worst sectors, the PVP scores remained high.
How to Decrease Poor SVP Scores
Phishing vulnerability scoring provides a window into the effectiveness of simulated phishing training. If a score is high and stays high even after fake phishing is used to teach employees, the elements of the fake phishing training should be considered and changed if found ineffective. Optimization of phishing simulation is critical in developing employee phishing training that works. Even if you have a high PVP at the outset, decreasing it as much as possible is the goal. If you find your organization has a high PVP, following the suggestions below should see an overall improvement in phishing vulnerability:
Carry Out Regular Training Sessions: A report from USENET found regular training sessions improve phishing simulation effectiveness. The report shows that initial training lasted around four months, and employees could not confidently identify phishing after six months. Carry out regular training, and to help ensure regular sessions without the overhead of setting up, deploying, and tailoring, use an automated simulated phishing platform like SafeTitan.
Make Training Relevant: Regular fake phishing sessions are essential but must be appropriate. Phishing tactics evolve, and people's reactions to these tactics can change. It is vital that a phishing training platform offers a wide variety of phishing templates and is behavior-driven so that phishing exercises are relevant to the user.
Real-Time In-Training Education and ‘What Ifs’: People need feedback during learning sessions. If an employee clicks on a malicious link, for example, they need to know what would have happened if this was an actual phishing email. By offering real-time learning experiences, employees are more likely to understand what could happen, and behaviors can be changed to create a positive security-first mindset.
Capture Metrics: Gathering metrics behind phishing simulation training is essential to optimizing your employee phishing education. These metrics can be used to calculate your overall PVP to show progress. They can also help improve reactions to phishing emails individually, allowing you to tailor phishing sessions and align them more closely to roles and individual needs.
Be Transparent with Employees: Phishing training can be seen as an intrusive device by employees. A culture of security is one where everyone pulls together to stop cyber-attacks. Employees are at the forefront of a cyber-attack, as the success of phishing proves. Before embarking on regular phishing sessions, explain to employees what they are and the goal of fake phishing, and above all, get their consent.
No matter what sector your organization falls into, phishing training must be performed optimally to reduce PVP over time.
Read the complete Titan HQ study, "2023 Automated Phishing Simulation Success Report.”
Susan Morrow
- SECURITY AWARENESS TRAINING