Phishing

Enterprise Phishing Susceptibility
and Resiliency Report

2016
2016 Enterpise Phishing Susceptibility and Resiliency Report 2
Introduction
Welcome to PhishMe’s 2016 Enterprise Phishing Susceptibility and Resiliency report. The report we
published in 2015 focused solely on susceptibility, telling only half of the story. Now, with over 5 million
active installations of PhishMe Reporter™ across the globe, we can publish statistically significant
metrics about the rate and accuracy of humans reporting phishing emails. We are excited to share
this data, as it has been missing from phishing studies in the past. Armed with this new data, we hope
that security organisations focus their attention on the ratio of Report-To-Click instead of dwelling on
susceptibility metrics.
PhishMe has been collecting and aggregating phishing threat, simulation and reporting data since
2008. This report evaluates user susceptibility, analysing why employees click on suspicious links and
attachments, including, for the first time, an additional area of analysis on the reporting of suspicious
emails to measure the resiliency of conditioned employees.
Phishing and spear phishing remain the No. 1 attack

vector threatening organisations worldwide, continuing to So Far in 2016...
challenge IT security teams as threat actors evolve their • 91% of cyber attacks and the resulting
tactics to gain access to corporate networks, assets and data breaches begin with a spear
consumer data. Now more than ever, organisations must phishing email.
be able to understand and identify the successful types of • Spear-Phishing Campaigns are up 55%.
email attacks, themes and elements used to successfully • Ransomware Attacks are up 400%, and
phish employees, so that we can determine how best • Business Email Compromise (BEC)
to prepare and condition them to identify and report Losses are up 1,300%.
suspicious emails to internal IT security teams.
To that purpose, this study examines data samples from more than 1,000 PhishMe customers who sent
more than 40 million simulation emails from January 2015 to July 2016. Throughout this report, we will
identify and highlight those phishing themes and emotional motivators that users find the most difficult
to recognise and report, and highlight how increased reporting impacts susceptibility.
Report Data Demographics

Based on PhishMe template/scenario response data:
• Over 1,000 PhishMe customers from across the globe
• Fortune 500 and public sector organisations across 23 verticals
• More than 40 million simulation emails
• 15 languages
• 18-month span (January 2015 to July 2016)
Phishing Simulations Explained

Unless you have run a phishing simulation programme, the terms used throughout the report may not
be familiar. At its core, a phishing simulation programme allows organisations to assess, measure, and
educate all employees about phishing threats. An ongoing, methodical programme will provide sample
emails ranging in complexity and topics that mimic real threats. The use of “scenarios” and “themes”
allows for measurement and customisation for better resiliency to those more successful phishes.
Throughout the report, we will refer to scenarios and themes as we assess behaviour across multiple
industries.
© Copyright 2016 PhishMe, Inc. All rights reserved.

Summary of Findings
After sending more than 40 million phishing simulation emails across 23 industries around the world,
PhishMe gathered the following insights:
• Business-context phishing emails remain the most difficult for users to recognise.
• Top Themes: Office Communications, Finances and Contracts.
• Top Emotional Motivators: Curiosity, Fear, Urgency.
• Susceptibility to phishing email drops almost 20% after just one failed simulation.
• Reporting rates significantly outweigh susceptibility rates when simple reporting is
deployed to more than 80% of a company’s population, even in the first year.
• Active reporting of phishing email threats can reduce the standard time for detection of
a breach to 1.2 hours on average—a significant improvement over the current industry
average of 146 days.
These results validate the importance of understanding how the components of complexity and
context impact the phishing susceptibility of employees in your organisation, and how a continuous
security training programme has proven to significantly change employee security behaviour.
Improvement is driven by reducing susceptibility, reinforcing key principles, and increasing
employee engagement to enhance threat detection rates and avoid costly incidents.
Why Behavioural Conditioning?

Phishing remains the No. 1 attack vector today because it works. Attackers are crafty and have many
different tactics to entice a person to click on or open an attachment. How is the executive assistant
to the CEO supposed to recognise a phishing email if they have not seen that tactic used?
An organisation’s many employees in diverse roles offer a target-rich means to the attackers’ end
of gaining access to company systems. Employees are easier targets due to their susceptibility to
various emotional and contextual triggers; and they may not be as focused on email security as they
need to be.
Attack Methods
Click-only: An email that urges the recipient to click on the embedded link.
Data entry: An email with a link to a customised landing page that entices employees to enter
sensitive information.
Attachment-based: Themes of this type train employees to recognise malicious attachments by
sending emails with seemingly legitimate attachments in a variety of formats.
Double Barrel: A conversational phishing technique that utilises two emails – one benign and
one containing the malicious element.
Highly Personalised: Simulates advanced social engineering tactics by using specific known
details about email recipients gathered from internal and public sources.

Which Topics or Themes are the Most Effective?

As part of its phishing simulation programme, PhishMe provides its customers with themes and
templates of sample emails matching real-world scenarios that mimic a variety of attacks and
primary motivators.
Our data has shown that the Office Communications and the Finance/Contracts themes garnered
the highest susceptibility rates with 19.9% and 18.6%, respectively, which makes perfect sense if
you are receiving a business-related email in your office inbox. Other themes that have increased in
the last year include Retail/Shopping and External Communications.
Office Communications 19.9%

Phishing Email Theme
Finances and Contracts 18.6%
Retail/Shopping 16.5%
IT Communications 11.2%
External Communication 7.8%
Computer Updates 7.5%
0 5% 10% 15% 20% 25%

Average Response Rate
Figure 1: Training themes employees found most difficult to recognise as a phishing email
This correlation with last year’s study results validates that Business Context/Communication
scenarios make more effective phishing emails than other themes. This points to the need to fully
understand and baseline your own internal communication standards to provide guidance to your
users in the detection of malicious phishing attempts. This is particularly true considering the
increase in BEC-style phishing in the real world today.
Comparing Benchmark Scenarios and Customised Templates

PhishMe provides templates for benchmarking analysis, where an aggregate performance of
one group is compared with an aggregate performance of individuals from a second group,
across separate companies. To account for changes in variance across customisable themes,
we compared average response rates for our benchmarks. This comparison provides greater
confidence because the simulation variables are controlled.
The good news is that we see some significant improvements, as compared to the last report, in
average response rates for the benchmark templates in Figure 2. Unauthorised Access, Secure
Email (Attachment-based), and the RSA Phish (Click Only) dropped 7%, to 10%. The largest
improvements in recognition appeared in a 12% drop in susceptibility for the Password Survey
(Data Entry) scenario.

These changes point towards the value of a broad base of users being continually exposed to phishing
themes over time. The best example in the real world of this same phenomenon is the well-known “Nigerian
Prince” scam. Because it is so widely and repeatedly used, it has become easily recognisable in multiple
forms. The same can be said for the results below.
File from Scanner 31.1%
Package Delivery - Alternative 25.8%
Unauthorised Access 24.8%
Digital Fax 20.2%

Benchmark Templates
Package Delivery 19.7%
Scanned File 18.4%
RSA Phish 13.1%
Password Survey 12.9%
Secure Email 12.2%
Adobe Security Update 7.0%
Restaurant Gift Certificate 6.7%
Google Docs 6.0%
Funny Pictures 3.4%
0 5% 10% 15% 20% 25% 30% 35%

Figure 2: The different templates used in Benchmark simulations across more than 10 industries
To identify further trends and gain a closer look at correlations between our benchmark scenarios and
customisable templates, we have included average susceptibility for many of our most used templates in
this study.
While these templates are less controlled (i.e., the phishing email can be customised by clients), we were
able to tease out several findings in this year’s study.

File from Scanner 23.5%
Locky Phish 21.5%
Unauthorised Access 19.9%
eCard Alerts 19.5%

Package Delivery 18.9%
Scenario Content Template
Financial Info Review 18.6%
Financial Information 18.6%

Digital Fax 17.2%
Order Confirmation 17.0%
Inbox Over the Limit 16.9%

RSA Phish 15.2%
Free Coffee 11.8%
Password Survey 11.7%
Restaurant Gift Certificate 11.4%

Virus Outbreak Update 10.2%
Email Migration 8.7%
Background Check 7.8%
Shared Folder 6.8%
Adobe Security Update 3.4%
0 5% 10% 15% 20% 25%

Figure 3: The different templates used in benchmark simulations across more than 10 industries
Notice that File from Scanner, Package Delivery, Unauthorised Access and others remain as the
most difficult scenarios for users to recognise even though the templates in this sample can be
edited. Further, we can see that the customisable templates average lower than their benchmarking
counterparts. For example:
• The File from Scanner benchmark averages 31% while the customisable version averages 24%.
• The Unauthorised Access benchmark averages 25% compared to 20% for the editable version.
There are a few contributing factors to the lower rates on the customisable templates:
1. The volume of usage for the customisable version of these templates is higher, leading to
broader recognition.
2. Many programmes begin by customising scenarios to include more visible errors, making
them easier to recognise.
3. Differences between comparable benchmark and customised scenarios include differences
in type. We will outline this further by taking a closer look at the File from Scanner
templates.

Attachments Versus Links

The File from Scanner template reigns as the most difficult for users to recognise as both a
benchmark and a customisable template; yet, as mentioned above, there are differences between
the benchmark susceptibility rate and the average rate for the customised version:
• 31% average response as a benchmark
• 24% in customisable form
From: LaserPro_2_2_e <[email protected]>

Subject: Scan from Laser Pro i780 Second Floor
A document has been scanned and sent to you using a Laser Pro i780.
SENT BY: INELL

PAGES: 1
FILETYPE: .PDF View
Figure 4: The file from scanner customisable template (Click Only)
From: LaserPro_2_2_e <[email protected]>

Subject: Scan from Laser Pro i780 Second Floor
Please open the attached document. It has been scanned and sent to you using a Laser Pro
i780.
SENT BY: INELL

PAGES: 1
FILETYPE: .DOC
Figure 5: The file from scanner benchmark template (Attachment-based)
Figures 4 and 5 show the difference in the action needed in the benchmark scenario and
customisable version: open versus a click. This suggests that, because the attachment-based
benchmark more closely mimics how an actual scan would work, it is more difficult for users to
identify as suspicious.

PhishMe Tip
The results from the File from Scanner validates that business-context phishes, in general, are the
hardest for employees to recognise and report. It further emphasises the need for organisations to
baseline their operational procedures, particularly those involving internal and external business
communications.
The existence of communication standards and policies allows an organisation to improve

phishing recognition by providing their users with a point of comparison. In other words, email
communications that do not follow an understood standard format or appropriate process are
easier to identify.
Variance by Industry
PhishMe further analysed data from the “File from Scanner” benchmark simulation to understand
variances across industries.
Transport 49%
Health Care 31%
Insurance 30%
Pharma / Biotech 30%
24%
Industries
Energy
Retail 16%
Consulting 14%
Utilities 14%
Technology 10%
Non-profit 5%
0 10% 20% 30% 40% 50%

Figure 6: File from Scanner average results per industry
As we see above, there is a wide variance in average response rates per industry, with an almost
50% response rate in Transport, down to 5% for Non-profits.
This further stresses the need to fully baseline your organisation and processes so that your
biggest phishing threats can be identified and mitigated through focused repetition of high
response scenarios and additional awareness activities.

Targeted threat attackers and other Components of Complexity

malicious actors continue to mature, Context Business
varying the types of phishing emails Personal
that enter the real-world environment.
Emotional Motivators Charity
The complexity of the content and the
Curiosity
emotional motivator often drive the
Entertainment
success of a particular phish.
Fear
As we have already seen, business- Personal Connection
context phishes are more difficult for Opportunity
Reward
users to recognise and report. In addition
Urgency
to Context, we consider two other factors:
Technical Difficulty (number of visible Technical Difficulty Easy -- 3+ Visible Clues
clues/errors in an email) and Emotional Med -- 1-2 Visible Clues
Motivators. Hard -- 0-1 Visible Clues
Figure 7: Components of Complexity

Emotional Motivators
Human nature influences our emotions and how they get the better of us. We all come with an
automated fight-or-flight response designed to protect us from danger. This leads to our emotions
and feelings being triggered prior to our rational thought.
Consequently, we are at risk of increased susceptibility to phishes with a strong emotional pull,
even at a subconscious level. To mitigate this natural reaction in users, it is important for us to
understand those emotions that are most effective in bypassing critical analysis. With this level
of understanding, we can condition our employees to be on the lookout for their natural reactions
to malicious emails, and to use those reactions as a trigger to look more closely for technical and
process errors in what they are seeing.
Curiosity 13.7%
Fear 13.4%
Emotional Motivator
Urgency 13.2%
Reward/Recognition 12.9%
Social 11.8%
Entertainment 9.6%
Opportunity 9.2%
0 5% 10% 15%
Figure 8: Average response rates by Motivator

In Figure 8, we analysed our data set to determine the average response by emotional motivator.
As you can see, Curiosity, Fear and Urgency topped our list, with all coming in at averages higher
than 13%.
It should be noted that Fear and Urgency are a normal part of everyday work for many users.
Consider that most employees are conscientious about not losing their jobs due to poor
performance (fear) and are often driven by deadlines (urgency), leading them to be more susceptible
to phishes with these emotional components. Further, Curiosity replaced Social [interactions] at
the top of our list of emotional motivators in this year’s study. This is primarily due to maturing our
model to assign multiple emotional motivator tags to our phishing templates.
Figure 9: Greetings eCard template
This can best be seen by reviewing the average response rates for our customisable templates and
noting that eCards remain difficult for users to avoid and that they are averaging 20% response
rates. Our Greetings eCard template, shown above in Figure 9, includes multiple factors that make it
difficult to avoid, such as personal context, curiosity and social connection.

Ransomware and Active Threats

PhishMe strives to drive resiliency and reduce susceptibility to the wide range of phishing threats
used today. However, some threats are more prevalent and disruptive to an organisation and need a
special focus by using Active Threat phishing scenarios.
Locky Phish 21.5%
Order Confirmation 17.0%
Job Application Received 15.5%

Ransomeware Template
Blank Email 11.9%
New Credit Card Sent 10.8%
Photos 9.3%
Fraudulent Behaviour 7.8%
Booking Status Change 6.9%
Security Report 5.2%
Notice from Bar Assoc. 4.6%
0 5% 10% 15% 20% 25%

Figure 10: Ransomware template response rates
In Figure 10, the current average response rates for our templated scenarios that model today’s
active threats show an average 17% response rate across all Ransomware templates.
What is Ransomware?
Ransomware is a type of malware that prevents or limits users from accessing their system. This
type of malware forces users to pay the ransom through certain online payment methods to grant
access to their systems, or to get their data back.
According to PhishMe’s Q3 Malware Review, 97.25% of the samples analysed contained a form of
ransomware—making it the most utilised form of malware in phishing emails.

Locky Phish Analysis

On 16 February, 2016, PhishMe’s Intelligence team identified many significantly large sets of emails
delivering Word documents that contained macro scripts used to download a malware payload known
as Locky. The scope of Locky’s delivery in its first full day of deployment was staggering, with over
400,000 endpoints around the world affected by this encryption ransomware in just hours. Locky
distribution not only dwarfs most malware from 2016, but it also towers over all other ransomware
varieties, making it imperative to implement a phishing simulation using a Locky.
Locky
100 Cerber
Number of Analysed Samples
TeslaCrypt
CryptoWall
75 CBT-Locker
Other
50
25
0
JAN FEB MAR APR MAY JUN JUL AUG SEP
Figure 11: Relative proportions of ransomware varieties analysed in
In analysing the susceptibility to the PhishMe Locky template, we can see the characteristics that
lead to its effectiveness in both our anti-phishing programmes and in the real world:
1. It is presented in a business context.

2. It is personalised to the recipient.
3. There are no noticeable errors in grammar or spelling.
4. It mimics many organisations’ existing invoice processes.
From: Jill Preston <[email protected]>

Subject: Unpaid invoice No. 4806
Dear RECIPIENT_NAME,
Please see the attached invoice (.doc) and remit payment according to the terms listed at the
bottom of the invoice.
Let us know if you have any questions.
We greatly appreciate your business!

Jill Preston
Figure 12: PhishMe’s Locky Phish template

Insurance 34.7%
Retail 31.7%
Energy 27.8%
Health Care 24.9%
Utilities 23.6%
Industries
Transport 20.4%
Media 18.1%
Defence/Industrial 16.1%
Government 11.6%
Non-profit 7.2%
Consulting 2.7%
0 5% 10% 15% 20% 25% 30% 35%

Figure 13: Locky Phish template averages by industry
As Figure 13 shows, there is once again a wide variance in response to this real-world threat.
From our data set, we find those organisations in the Insurance, Retail and Energy sectors most
vulnerable, with ranges in average response rates from 28% to 35%.
This underlines the need to ensure you understand how your company responds to any given
phishing type and its components' complexity. This understanding will allow you to address your
specific threats in your anti-phishing programme. See the Appendix for more information on High
Impact Scenarios and Scenario Response Rates by Industry.
No Links - The Challenge of Stopping BEC Emails

Business Email Compromise (BEC) is a sophisticated scam, targeting businesses using familiarity
and business activity requests such as performing a wire transfer payment or being asked to
provide sensitive company information such as salaries data. The email appears to have come from
an internal authority, but there are typically no links or attachments for technology to analyse and
trigger an alarm, making these threats extremely difficult to detect.

Figure 14: Example BEC email
BEC Style Average Susceptibility

Defence/Industrial
Financial Services
Health Care
Technology
Insurance
Average
Energy
Media
Travel
Retail
Scenarios
Wire Fraud 3.9% 3.9%
Wire Transfer Request 1.6% 2.0% 4.6% 2.2% 3.9% 2.6%
Wiring Money Process 15.5% 10.6% 10.2% 12.6% 19.6% 28.7% 4.4% 16.9%
Average 15.5% 6.1% 6.1% 10.0% 19.6% 28.7% 4.4% 2.2% 3.9% 14.2%
Figure 15: Average BEC susceptibility by theme
To help address the BEC threat, PhishMe added specific templates to mimic successful BEC attacks.
Across our BEC templates, we found an average response rate of 14%. The Wiring Money Process was
clearly the scenario with the highest susceptibility rate. It was particularly effective in the Defence,
Insurance and Media industries.
PhishMe Tip
Incorporate feedback from your IR and Network teams into your anti-phishing programme.
Specifically, identify those real-world phishing scenarios that your organisation receives on a
regular basis, and incorporate them into your rotation.

The Phishing Kill Chain

To this point, our report has outlined and discussed the extent of the phishing risk and the factors
that impact difficulty in recognition and reporting for users. It is now important to stress the
differences between penetration testing results and an anti-phishing behavioural conditioning
programme. It is not enough simply to identify the breadth of the risk. We must answer the question:
how do we take susceptibility results and turn them towards mitigation of the phishing threat?
Self Scenario Scenario Reporting Triage Mitigation

Enumeration Design Delivery
Technical Develop from General Stress Analysis Threat
and Process Baseline of Conditioning Reporting in of reported Neutralised
weaknesses known risks Spear Phishing all awareness suspicious
identified and previous Repetition activities emails
Results results Track scenarios
Analysis Track email
reports
Figure 16: Phishing Kill Chain
The design of any anti-phishing programme can be modelled on the Phishing Kill Chain in Figure 16.
This model mimics the well-known Kill Chain process utilised in security organisations today.
The difference is that the Phishing Kill Chain inserts Reporting by Users at the point at which the
standard model indicates an exploitation of a breach. Incorporating the model above into any anti-
phishing programme can be accomplished via the steps outlined below:
1. B aseline your organisation’s technical and process weaknesses.

2. Analyse initial/previous phishing scenario results to identify the phishing models your users
find most difficult to recognise.
3. Design future scenarios based on known deficiencies and analysis of results.
4. Deliver phishing scenarios and education to your general audience.
5. Stress the importance of reporting in all awareness activities, including your scenario
education.
6. Incorporate spear phishing for high-risk users and departments.
7. Repeat scenarios to increase recognition and reporting.
8. Track user progress for programme reporting metrics and for reporting of suspected ‘real’
phishing attempts.
9. Route suspected phishing reports to your IR teams for analysis and mitigation.
Improved Recognition and Reporting

When measuring the effectiveness of any anti-phishing programme, we look across three (3) key
metrics:
1. Reduced Susceptibility
2. Increased Recognition
3. Increased Reporting

In the charts below, we analyse different-sized organisations for trends in Repeat Offences (falling
for a phish) and for Reporting Rates. This sample included results from more than 300,000 users
in organisations that have had PhishMe Reporter, a simple reporting tool, deployed for more than
one (1) year.
30%
Company Size
26%
Small
20% 21%
20%
Medium
Large
10%
2% 5% 0.1% 0.2% 0.3%

3%
0
Responded Once Responded Twice Responded 3 Times
Figure 17: Reduction in repeat offence by company size
Figure 17 above shows an overall improvement in recognition of phishing attempts with an average
drop of 19% in response rates after a single failure. This pattern holds true regardless of company
size. In other words, users will improve performance with repetition and increased exposure to
phishing templates.
In the Reporters Breakdown chart shown below, we see that users will adopt a new habit as a result
of stressing the importance of reporting in anti-phishing programmes. For users in this sample with
the PhishMe Reporter installed:
1. 12% to 20% have reported at least once.
2. 17% to 29% have reported multiple times.
30% Company Size

29%
Small
26% Medium
20% 20% Large
19%
17%
12%
10%
0
Reported Once Reported 2-5 Times
Figure 18: Increases in reporting by company size

In addition to these statistics, the organisations involved in this sample collected more than just
simulated phishing reports. Over a twelve (12) to eighteen (18) month period, these organisations
took in the following counts of “real” suspicious email reports from their users:
1. Large Company Size – More than 1 Million
2. Medium Company Size – More than 40,000
3. Small Company Size – More than 16,000
Large Size Company 38%
Medium Size Company 47.5%
Small Size Company 37%
0 10% 20% 30% 40% 50%

Reporter Rate
Figure 19: Reporting rates by company size
Our final chart from this sample in Figure 18 shows us the percentage of users—with PhishMe
Reporter installed—who have reported at least one (1) simulated scenario or real phish. Again,
regardless of company size, we see high percentages of users reporting, with a range of 37% to 40%
of the population taking part. This is significant when compared to overall susceptibility rates that
generally average 15% to 20% across all types and templates.
Having a higher rate of reporters than those susceptible provides an organisation its best
opportunity to “Get Left of Breach” as we previously discussed.
Measuring Anti-Phishing Programme Effectiveness

When measuring the effectiveness of any anti-phishing programme, we want to look at our results
across the breath of an organisation. Using the model below, we can provide a rating for an
organisation’s current level of maturity and resiliency against phishing attacks.
Level Description
Green The Organisation proactively responds to threats and mitigates them
Yellow Users are alert ----> inspecting emails ----> reporting threats
Orange Users are alert ----> inspecting emails for threats
Red Users exhibit a complete lack of awareness of phishing threats
Figure 20: Organisational levels of effectiveness

The model moves from a complete lack of awareness to proactive response and mitigation of threats.
The key to identifying your current state is to compare your organisation’s trends in susceptibility
and reporting over time. The client sample in Figure 21, shows us an ideal pattern with divergence in
susceptibility and reporting numbers. In other words, as the susceptibility rates continue to decline,
we see more users reporting suspicious emails.
Overall Responses Over Time

100%
50%
0%
MAY 2015 JUL 2015 OCT 2015 DEC 2015 MAR 2016 MAY 2016 JUL 2016 JUL 2016
Click-Only Attachment Data Entry Reported Rate
Figure 21: Diverging trends sample
As suggested by the Phishing Kill Chain model, this company stressed reporting from the very
beginning of their programme. Their programme has been active for eighteen (18) months and is
averaging between 11 and 12 anti-phishing scenarios per year.
Conditioning Users to Report

To further illustrate the importance of conditioning users to report a suspected phish, we analysed
data for clients who have had PhishMe’s Reporter deployed over the past two (2) years. Figure 22
shows the percentage of users who were found susceptible versus the percentage reporting and
shown by the percentage of client users with the PhishMe Reporter feature deployed.
For example, in 2015, for clients who deployed Reporter to 10-20% of their population, the average
susceptibility was ~15%, while the average reporting rate was ~7%. In 2016, those numbers
changed to 13% and 16%, respectively.
The client sample and trending charts in Figure 22 show the effectiveness of implementing a
programme with the Phishing Kill Chain model in mind. By stressing reporting, we see a consistent
reduction in susceptibility and a correlating increase in reporting.

Divergent Trends by per cent PhishMe Reporter deployed

40%
35%
30%
25%
20%
15%
10%
5%
0%
10% - 19%
20% - 29%
30% - 39%
40% - 49%
50% - 59%
60% - 69%
70% - 79%
80% - 89%
10% - 19%
20% - 29%
30% - 39%
40% - 49%
50% - 59%
60% - 69%
70% - 79%
80% - 89%
2015 2016
Per Cent Susceptible Per Cent Reported
Linear Linear
Figure 22: Diverging trends analysis
Figure 22 reveals a few important trends regarding the deployment of PhishMe Reporter:
1. Y ear over year, we see positive trends in reduction of susceptibility with Reporter deployed.
2. In the second year of Reporter deployment, we consistently see average reporting rates
that are higher than average susceptibility rates.
3. R eporting significantly outweighs susceptibility when Reporter is deployed to more than
80% of a company’s population, even in the first year.
Getting “Left of Breach”

Any time we can get more users reporting a phish instead of falling susceptible to it, we provide
our organisation’s Incident Response teams with a real opportunity to reduce the time to mitigate
a potential breach or to eliminate the occurrence of a breach altogether.
2.5
2.0
Average Hours to Report
1.5
Average Time to Report
1.0
0.5
0
<500 500-20K 20K-50K 50K-100K >100K
Company Size
Figure 23: Average hours to report by size

Looking across our data at those organisations with PhishMe Reporter deployed, we could determine
an average reporting time of 1.2 hours, with a range of 2.1 hours on the high end and 0.4 hours on the
low end. In cases such as this, we effectively reduce the standard time for detection of a breach to
approximately 1.2 hours—a significant improvement over the current industry average of 146 days.
New Reporter Reporter Timeline (first 200 reports)

Repeat Reporter
First Reporter: Nov 17, 16 7:07 pm
First Click/Open: Nov 17, 16 7:18 pm
7:30 pm 8:00 pm 8:30 pm 9:00 pm
Figure 24: Left of Breach reporting
While the current average reporting time is 1.2 hours, we can see several instances in our data
where the phishing scenario was reported prior to any users falling susceptible. For example, in
Figure 24, we find an instance where the phishing scenario was reported a full 11 minutes prior to
anyone falling for the phish and exposing company assets. In essence, this client was able to get
“Left of Breach” in the Kill Chain for this scenario.
Phishing Incident Response for SOC and IR Teams

Instituting a formal reporting process for suspicious emails can fall short and overwhelm your SOC
and IR resources. Without a way to organise, assess, and respond to the barrage of reported emails,
the teams may not respond quickly enough to avoid an incident.
PhishMe Triage
PhishMe Triage is the first phishing-specific incident response platform that allows security
operation (SOC) and incident responders to automate the prioritisation, analysis and
response to phishing threats that bypass your email security technologies. It gives teams
the visibility and analytics needed to speed processing and response to employee-reported
phishing threats and decrease the risk of breach.

Conclusions
Through baselining known weaknesses, identifying existing threats, and developing an understanding
of an organisation’s difficulty in recognising specifics types and components of a phish, companies
can institute an anti-phishing programme that significantly reduces the threat of a breach.
With repetition, a sustained and well-executed phishing simulation programme, focused on

conditioning employees to report, provides a significant reduction in overall exposure to risk from this
ever-changing attack vector and improves the security posture of an organisation. By analysing our
phishing simulation and reporting data over time, we have found:
• The combination of appropriate context and emotional motivators delivered greater

response rates from employees to difficult scenarios which, in effect, decreased overall
training time and allowed the organisation to focus on remediating specific phishing risks
with repetitive scenario training on those risks.
• By phishing across an entire employee base, an organisation can quickly increase

awareness, train more people, and identify key triggers that influence employee behaviour.
• It is important to train employees to report phishing attempts as soon as they are

recognised to offset the likelihood that a phishing attempt will be responded to in its first
several hours in a network environment.
• It is possible to significantly reduce the standard time for breach detection from days to
minutes with a conditioned workforce reporting suspicious activity.

Glossary
Phishing - Phishing is defined as any type of email-based social engineering attack, and is the
favoured method used by cyber criminals and nation-state actors to deliver malware and carry out
drive-by attacks.
Phishing emails disguise themselves as legitimate communication, attempting to trick the recipient
into responding by clicking on a link, opening an attachment, or directly providing sensitive
information. These responses give attackers a foothold in corporate networks, and access to vital
information such as employee credentials, communications and intellectual property. Phishing emails
are often carefully crafted and targeted to specific recipients, making them appear genuine to many
employees.
Email-based attacks are an effective, low-cost tool that can bypass many detection methods. The
criminal organisation benefits from this “tool” because there is little chance of capture or retribution.
It is little wonder then that several prominent security firms have confirmed phishing to be the top
attack method threatening the enterprise today:
• In their white paper, Spear Phishing Email - Most Favoured Attack, security firm TrendMicro noted
that spear phishing accounts for 91% of targeted attacks. 1
• The Mandiant APT1 Report cites spear phishing as the Chinese hacking group APT1’s most
common attack method. 2
• In their 2013 report, Verizon traced 95% of state-affiliated espionage attacks to phishing.3
Phishing simulation refers to a course of activities designed to improve employee knowledge,

recognition and response to phishing attacks. The emails are safe and contain links to educational
content to help employees who have fallen for the simulation to understand why the email was
potentially malicious.
Phishing scenario refers to a specific email used in a simulated phishing exercise.
Phishing template refers to email content provided for use in scenarios.
Phishing theme refers to a collection of email scenario templates that use the same context,
motivation or topic to elicit user action.
Repeat offender refers to a person who has shown repeated susceptibility to spear phishing scenario
(has fallen for the simulations repeatedly).
1 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-
email-most-favored-apt-attack-bait.pdf
2 http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
3 http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf

Appendix
High-response Scenarios
File from Scanner Locky Phish Unauthorised Access eCard Alerts Package Delivery
Transport 49.2% Insurance 34.7% Defence 46.1% Education 44.1% Technology 28.0%
Health Care 30.9% Retail 31.7% Consulting 29.9% Health Care 30.9% Pharma/Biotech 26.1%
Insurance 30.5% Energy 27.8% Insurance 25.3% Insurance 27.1% Legal Services 25.5%
Pharma/Biotech 30.4% Health Care 24.9% Telecoms 24.7% Financial 22.5% Manufacturing 21.3%
Energy 23.7% Utilities 23.6% Technology 24.4% Energy 22.0% Health Care 21.3%
Retail 15.8% Media 18.1% Utilities 17.6% Technology 18.9% Transport 13.9%
Consulting 14.4% Defence 16.1% Travel 15.5% Retail 16.5% Defence 13.5%
Utilities 13.6% Government 11.6% Energy 14.6% Consulting 12.2% Energy 13.5%
Technology 9.9% Non-profit 7.2% Manufacturing 14.6% Manufacturing 9.7% Non-profit 13.3%
Non-profit 5.0% Consulting 2.7% Legal Services 5.9% Government 7.0% Media 7.1%
Grand Total 26.8% Grand Total 20.7% Grand Total 18.1% Grand Total 19.7% Grand Total 19.9%
Financial Info Review Financial Information Digital Fax Order Confirmation Inbox Over the Limit
Health Care 31.5% Technology 36.1% Legal Services 42.0% Education 34.8% Consulting 24.4%
Insurance 27.3% Legal Services 27.6% Telecomm. 32.9% Transport 26.1% Manufacturing 22.8%
Consulting 26.6% Retail 25.3% Defence 28.0% Technology 24.8% Insurance 22.0%
Manufacturing 24.4% Manufacturing 24.9% Consulting 22.1% Insurance 19.6% Defence 20.5%
Technology 19.7% Health Care 24.1% Health Care 21.5% Media 19.0% Health Care 19.5%
Energy 19.2% Non-profit 15.8% Manufacturing 13.2% Manufacturing 13.8% Energy 11.4%
Government 17.3% Energy 15.1% Technology 10.2% Consulting 13.5% Technology 11.3%
Media 15.4% Financial 14.5% Retail 9.1% Pharma/BioTech 12.8% Education 10.6%
Financial 14.6% Media 11.6% Government 8.4% Defence 8.9% Legal Services 8.6%
Retail 13.2% Consulting 2.0% Media 7.3% Retail 6.4% Utilities 1.2%
Scenario Response Rates by Industry

Media Energy Transport Government Financial
Bonus Agreement 42.9% Updated Orgs. 41.8% File from Scanner 49.2% Financial Info. 23.4% Manager Eval. 42.0%
Manager Eval. 42.6% Cleaning Chem. 29.2% Pro-forma Invoice 31.3% Tax Documents 23.1% Time off Request 29.0%
Can’t Send, File Sz Tc 41.3% Locky Phish 27.8% Order Confirm... 26.1% Policy Memo 23.0% Holloween Cost... 27.0%
Corporate Rewards 31.3% Scanned File 26.6% Please Verify... 22.8% File from Scanner 22.7% Forgot Attach... 26.5%
Free Lunch 30.9% News Alert 25.9% eCart Alerts 21.4% Brexit Impact on 20.7% Unauthorised Act. 26.3%
File from Scanner 18.1% Word Documents 18.6% Euro 2016 Tickets 5.5% New Credit Card 13.5% Scanned File 19.6%
Locky Phish 18.1% Digital Fax 18.0% Free Coffee 3.9% Superfish 13.2% Word Documents 19.1%
Dyre Campaign 18.0% Time Off Request 17.8% Email Verification 3.6% Pokémon GO Pol. 13.0% Valentine’s Day... 17.7%
Brexit Impact, Op. 17.7% Bed Bugs Found 17.6% Adobe Security 1.7% Inbox Over Limit 12.6% Digital Fax 17.5%
Comp. Refresh 17.4% New Job Opp... 17.0% Locky Phish 11.6% APT1 17.4%
Health Care Manufacturing Legal Services Pharma/Biotech Technology

Manager Eval. 43.8% Unused Email Ac. 40.7% Scanned File 46.4% Sent From Phone 41.6% Free Lunch 49.4%
Valentine’s Day... 33.7% Notice to Appear 36.0% Digital Fax 42.0% Forgot Attach. 39.3% Financial Info 36.1%
Financial Info 31.5% Confirm Shipping 34.1% Unauthorised Acc 29.3% Employee Satisf. 32.9% Time Off Request 33.3%
eCard Alerts 30.9% Flash Update... 32.0% Financial Info 27.6% File From Scanner 30.4% Package Delivery 30.3%
File from Scanner 30.9% Please Update Dr. 31.3% Package Delivery 25.5% Please Review Co. 28.6% Pro-forma Inv... 30.1%
Unauthorised Acc 22.3% Company Nwsle. 21.9% Free Coffee 8.2% Forgot Attach. 16.1% Computer Refresh 22.0%
Digital Fax 21.5% Inactive Email... 21.9% Word Doc. 8.0% Build Your Own 13.2% Locky Phish 21.6%
Package Delivery 21.3% Complaint Filed 21.4% Shared Folder 7.9% Order Confirm... 12.8% Word Doc. 21.2%
Happy Valentine 20.8% Package Delivery 21.3% Secure Email 7.4% Package Delivery 12.3% Build Your Own 21.0%
Inbox Over Limit 19.5% APT1 21.2% Security Token C. 7.2% Cease and Desist 10.5% Veryify Info 20.9%

Phishing

Uploaded by

Copyright:

Available Formats

Phishing

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Phishing

Uploaded by

Copyright:

Available Formats

What is the purpose of the report?

What is the purpose of the report?

What data is included in the report?

What data is included in the report?

Enterprise Phishing Susceptibility

and Resiliency Report

Phishing and spear phishing remain the No. 1 attack

Report Data Demographics

Phishing Simulations Explained

© Copyright 2016 PhishMe, Inc. All rights reserved.

Why Behavioural Conditioning?

© Copyright 2016 PhishMe, Inc. All rights reserved.

Which Topics or Themes are the Most Effective?

Office Communications 19.9%

Finances and Contracts 18.6%

External Communication 7.8%

Computer Updates 7.5%

0 5% 10% 15% 20% 25%

Comparing Benchmark Scenarios and Customised Templates

© Copyright 2016 PhishMe, Inc. All rights reserved.

File from Scanner 31.1%

Package Delivery - Alternative 25.8%

Unauthorised Access 24.8%

Digital Fax 20.2%

Package Delivery 19.7%

Scanned File 18.4%

RSA Phish 13.1%

Password Survey 12.9%

Secure Email 12.2%

Adobe Security Update 7.0%

Restaurant Gift Certificate 6.7%

Google Docs 6.0%

Funny Pictures 3.4%

0 5% 10% 15% 20% 25% 30% 35%

© Copyright 2016 PhishMe, Inc. All rights reserved.

File from Scanner 23.5%

Locky Phish 21.5%

Unauthorised Access 19.9%

eCard Alerts 19.5%

Financial Info Review 18.6%

Financial Information 18.6%

Order Confirmation 17.0%

Inbox Over the Limit 16.9%

Free Coffee 11.8%

Password Survey 11.7%

Restaurant Gift Certificate 11.4%

Email Migration 8.7%

Background Check 7.8%

Shared Folder 6.8%

Adobe Security Update 3.4%

0 5% 10% 15% 20% 25%

© Copyright 2016 PhishMe, Inc. All rights reserved.

Attachments Versus Links

From: LaserPro_2_2_e <[email protected]>

SENT BY: INELL

Figure 4: The file from scanner customisable template (Click Only)

From: LaserPro_2_2_e <[email protected]>

SENT BY: INELL

Figure 5: The file from scanner benchmark template (Attachment-based)

© Copyright 2016 PhishMe, Inc. All rights reserved.

1. B aseline your organisation’s technical and process weaknesses.