Your employees aren’t as good at spotting phishing emails as they let you think they are

Overconfident Australians say they can spot a phishing email – but 56 percent have had personal or financial data compromised

Credit: ID 127607827 © Microvone |

Employees are less likely to click links in emails from unknown senders on work devices than personal devices, but 49 percent have still clicked links from unknown senders at work, according to new research that found Australian workers are more likely to open SMS links than those in the UK or Japan.

Fully 28 percent of the 1000 Australian office workers surveyed in Webroot’s Hook, Line & Sinker report said they had had personal or financial data compromised during a data breach or hack more than once, with another 28 percent saying it had happened once.

Stunningly, 35 percent admitted that they still hadn’t bothered to change their passwords after the breach – exposing them and their employers to potential compromise from credential stuffing attacks.

Only 29 percent said they had informed legal authorities or government agencies about the incident – suggesting that the actual magnitude of threats reported by organisations like the ACSC and ACORN may be underestimating actual breach incidence by a factor of three or more.

Significantly, just 9 percent of Japanese respondents said they had had personal or financial data compromised during a breach or hack – with just 10 percent saying it had happened once only. This was well behind global averages of 26 percent and 22 percent, respectively.

“Phishing attacks continue to grow in popularity because, unfortunately, they work,” said George Anderson, product marketing director with Webroot.

“Hackers and criminals weaponize the simple act of clicking and employ basic psychological tricks to inspire urgent action. It is vital that consumers educate themselves on how to protect both their personal and financial data and what steps to take if their information is compromised or stolen.”

The importance of suitable scepticism has been an ongoing theme among security firms, with a recent Proofpoint report noting that all kinds of people can be Very Attacked People (VAPs) and pointing out that 99 percent of attacks wouldn’t have happened without the help of their victims.

With workers receiving an average of 52 emails per day and 85 percent admitting they click at least one email link every work day, the chances that one of those links will be malicious are significant.

Malicious actors have additional potential points of exploitation from other channels, with workers clicking on links in search engines (64 percent), text messages (49 percent), social media (48 percent), news apps (36 percent), file sharing sites (34 percent), and chat apps (30 percent).

There were signs that many workers are happy to click on these links because they are confident in their ability to spot a fake: fully 79 percent said they can tell the difference between a genuine email and a phishing message.

Interestingly, Australians were the most confident among the four countries surveyed, with 91 percent of respondents saying they could tell bad from good emails – compared to just 51 percent of Japanese, 87 percent of Americans, and 89 percent of Britons.

Webroot attributes these differences to cultural modesty on the part of Japanese respondents – yet respondents from other countries were not much better at other key protections, such as the 43 percent who said they verify that emailed links match their destinations before clicking on them.

The findings are yet another wakeup call for executives who believe their employees inherently know how to keep their email safe. Heading off disaster, then, requires businesses to get more proactive about user education and security investments.

“For businesses that means implementing regular simulated phishing and external attacks that address the various ways hackers attempt to breach organizations through their users,” Anderson said.

“By combining the latest detection, protection, prevention and response technology with consistent attack training and education, IT Security departments can tackle the people, process and technology combinations needed to successfully mitigate attacks.”

Show Comments