Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Insurers, Nonprofits Most Likely to Fall for Phishing: Study

The employees of insurance companies and non-profit organizations are most likely to fall for phishing attacks, according to a study conducted by security awareness training firm KnowBe4.

The employees of insurance companies and non-profit organizations are most likely to fall for phishing attacks, according to a study conducted by security awareness training firm KnowBe4.

KnowBe4’s study is based on data collected from six million users across 11,000 organizations. The company has tested users at three stages: before any awareness training, after 90 days of initial training and simulated phishing, and after one year of training.

The average phish-prone percentage, represented by the percentage of employees that clicked on a link or opened an attachment during testing, was 27% across all industries and organizations of all sizes.

In the case of small and mid-size organizations (under 1,000 employees), insurance companies have the highest percentage of phish-prone employees, specifically 35% and 33%. In the case of large organizations, nonprofits are at the top of the list with roughly 31% of employees taking the bait during the baseline phishing tests conducted by KnowBe4.

The lowest phish-prone percentage was recorded in large business services organizations, where only 19% of employees took the bait.

How likely are employees in different sectors to fall for phishing attacks

Unsurprisingly, 90 days after undergoing initial training and simulated phishing, the percentage of employees that fell for phishing attacks dropped significantly across all sectors and organizations of all sizes.

For example, in the case of the insurance industry, the phish-prone percentage dropped to 13% in small and large organizations, and 16% in mid-size companies. In the case of nonprofits, it dropped to 16-17%.

After one year of training, the phish-prone percentage dropped to 1-2% in most cases. The highest percentage of employees that still fell for phishing attacks, roughly 5%, was in large organizations in the energy and utilities, financial services, insurance, and education sectors.

“The new research uncovered some surprising and troubling results. However, it also demonstrates the power of deploying new-school security awareness training by lowering a 27 percent Phish-prone result to just over two percent,” said Stu Sjouwerman, CEO of KnowBe4.

Related: Simulated Phishing Firm KnowBe4 Raises $30 Million

Related: Ongoing Adwind Phishing Campaign Discovered

Related: Phishing Poses Biggest Threat to Users

Related: Analysis of 3,200 Phishing Kits Sheds Light on Attacker Tools and Techniques

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.