In 2015, phishing related breaches dominated security news headlines, and will likely remain the leading initial point-of-entry method for 2016. Not surprisingly an upswing in security awareness spending has paralleled the rise in phishing. In this presentation we dive deep into the largest data pool of human phishing susceptibility and also new research about phishing awareness. We will also look at phishing from the attacker’s point of view and look for opportunities to be better defenders.
Let’s examine the evidence and decide if awareness is the problem. Why do users who are aware of phishing continue to fall for it? What are some of the most successful phishing themes? What are some common response rates? And finally, what can conditioned informants (your co-workers) reporting suspicious emails bring to the table?
This study examines data samples from more than 400 PhishMe customers who conducted over 4,000 training simulations during a period of 13 months. The simulation data illustrates the current state of phishing, highly successful attack vectors and prominent phishing themes as well as the factors that impact an employees’ susceptibility to falling victim to an attack, such as time of day and email subject lines.
Base Demographics
Includes Fortune 500 and public sector organizations
Across 23 industries
75% of organizations are training more than 1,000 employees
8 million emails over a 13-month span
Stats for point 4 listed above:
36% opened emails with the subject line “File from Scanner”
34% opened emails with the subject Unauthorized Activity/ Access
Note the highest themes in Figure 1 (Office Communications - 22%) aligns with the highest benchmarking average. Computer Updates, as the lowest response rate in Figure 1, also aligns with the lowest benchmark simulation average (Adobe Security Updates - 9%).
PhishMe further analyzed data from the “Package Delivery” benchmark simulation to understand and compare variances across industries.
As we can see, there is a wide variance in average response rates per industry, more than 40% (Agriculture, Education and Pharma/BioTech) to less than 15% (Travel).
The results highlight the need to carefully consider a company’s industry, as well as, individual culture and standard business processes when viewing phishing simulation results.
PhishMe classified each of its standard templates with a primary emotional motivator. From this we were able to determine, based on template results, which motivators had the highest average response rates.
The highest rates of connection were driven primarily by our e-card type, personal context scenarios.
Reward based phish came in a close second. On the next page, we will take a look at combining motivators and context to create a highly effective training scenario.
This study examines data samples from more than 400 PhishMe customers who conducted over 4,000 training simulations during a period of 13 months. The simulation data illustrates the current state of phishing, highly successful attack vectors and prominent phishing themes as well as the factors that impact an employees’ susceptibility to falling victim to an attack, such as time of day and email subject lines.
Base Demographics
Includes Fortune 500 and public sector organizations
Across 23 industries
75% of organizations are training more than 1,000 employees
8 million emails over a 13-month span
Stats for point 4 listed above:
36% opened emails with the subject line “File from Scanner”
34% opened emails with the subject Unauthorized Activity/ Access
As technology advanced, manufacturers turned to optic verification sensors to prevent scams. These mechanisms use a beam of light to register payment as it's dropped in. Ironically, this technology was used against itself to perform a cheat very similar to the aforementioned yo-yo trick.
Intrepid ne'er–do–wells found that if a coin was slightly shaved around its edge, then a slot machine's optic sensor would register it as a normal coin. However, once it got to the machine's comparator mechanism—the piece of equipment that measures size and weight—it would be kicked out because of the minute size discrepancy.
In many machines, the optic sensor worked independently from the physical comparator mechanism. The former would be the sole judge of a coin's authenticity while the latter merely doled out change. Shaved coins were good for a play but would be returned in the change tray as bogus money—it's essentially the yo-yo trick sans string.
- Taken from http://mentalfloss.com/article/56646/11-ways-people-have-cheated-slot-machines
Newer machines used optical sensors to count how many coins they dispensed. The light wand would be inserted through the hopper and "blind" that optical sensor so the machine had no idea when to stop spitting out money. All you had to do was play enough until you hit a small payoff, switch on the light, and then wait for the machine to turn that modest return into a mountain of money.
Cool video:
https://www.youtube.com/watch?v=ONrWQLSQ2j8