South Florida Hospital News
Monday July 22, 2019

test 2

November 2018 - Volume 15 - Issue 5



Data: Your Employees May Be More Vulnerable to Phishing Than You Think

New research from PhishNet by Kaufman Rossin® shows the email bait employees take
Phishing attacks continue to be some of the most popular methods of cyber attack, representing at least 90% of cyber attacks worldwide. Even organizations with dedicated cyber defense budgets, such as hospitals and healthcare organizations, find themselves challenged by phishing attacks. 
Most organizations have valuable information, including account numbers, customer lists, trade secrets, intellectual property, and personal information. Fortunately, Kaufman Rossin’s research indicates there are ways to reduce the vulnerability of your people and your organization to phishing attacks.
Kaufman Rossin gathered data from more than 115 phishing simulations performed for clients in the past two years, which included organizations throughout the United States and Latin America. 
PhishNet by Kaufman Rossin® is a security awareness and training service that analyzes threats and risks to an organization and sends customized, fake phishing emails to its employees. Employees who click are instantly redirected to a brief training, and Kaufman Rossin’s cybersecurity professionals analyze the results and recommend solutions to the organization’s management team.
How often are employees clicking on phishing emails?
According to Verizon’s 2018 Data Breach Investigations Report (DBIR), on average 4% of people will click on a phish (i.e., link or attachment in an email) from a typical phishing campaign. The click rates for simulations performed through PhishNet by Kaufman Rossin® are notably higher than the DBIR average, consistent with expectations, as the service involves increasing the difficulty of phishing email scenarios according to an organization’s inherent risks and management’s instructions. 
Kaufman Rossin’s research looks at organizations in the financial services, healthcare, professional services and technology sectors. Among these industries, professional services has the highest average click rate at 21%. Financial services is second at 14%, followed closely by healthcare at 13% and technology at 12%.
An effective training and security awareness program continues to be one of the most powerful defense resources available. In fact, 41% of the clients of PhishNet by Kaufman Rossin® saw a decrease in click rates after the first performance of a phishing simulation training and security awareness exercise. 
What types of phishing emails do employees click on?
One significant challenge for implementing an effective cybersecurity training program is that cross-disciplinary skills are needed: training and education personnel tend to have the skills needed for delivering the training, but IT personnel tend to understand the threats and weaknesses involved. 
Kaufman Rossin’s data suggests that risks may be directly addressed by designing procedures and training against the most effective phishing pretexts and scenarios: human resources (HR) message, voicemail notification, regulatory service or business and social media notification.
HR message – The highest click rates are for emails related to human resources messages, such as messages that refer to vacation, pay, or benefits. Not surprisingly, employees tend to get emotional – and sometimes act quickly – when their compensation or benefits are being discussed. To reduce this risk, train employees to recognize these scenarios and design communication channels to be less susceptible (e.g., sharing some information through a company portal instead of email).
Voicemail notification – Phishing attacks imitating voicemail notifications are also frequently clicked on. When asked why they clicked, participants expressed curiosity about the message or anxiety about missing important information. Training to recognize these types of scenarios presents an opportunity to educate employees about the broader issue of social engineering (i.e., attackers using emotions to manipulate behavior).
Regulatory service or business – Regulatory agencies, associations and vendors often send notifications to professionals, which could lead to a dangerous habit of clicking on links in emails without hesitation. Train employees not to let their guard down just because a communication appears to come from a trusted association or authority. 
Social media – For employees whose role does not involve access to social media, consider a policy that prohibits the use of devices and work email for social media and other personal use. Also consider enabling web content filtering to enforce the policy. Implementing these changes should make it easier for employees to spot an email using the pretext of a social media notification.
Going forward
For the foreseeable future, phishing attacks continue to be one of the most popular methods of cyber attacks across industries. Organizations in highly regulated industries and those with sensitive information should be especially concerned about the risk of employees falling victim to phishing, and potentially exposing the organization to significant financial losses and other risks.
A robust cybersecurity awareness and training program can make a significant difference in an organization’s ability to secure its people, resources, and reputation – especially when it includes highly customized phishing testing and training designed with an understanding of the most effective types of attacks and the organization’s unique profile and challenges.

Alejandro Mijares and Roberto Valdez are risk advisory services managers specializing in cybersecurity at Kaufman Rossin, one of the top 100 CPA and advisory firms in the U.S. You can reach Alejandro at and Roberto at

Share |