When phishing links are dangled before insurance professionals, do they go for the bait?

There’s good news and bad news when it comes to insurance industry employees clicking on phishing email links, according to a recent study from a Laval, Que.-headquartered security awareness training firm.

The good news is that global “finance & insurance” employees were the second-best sector in terms of not clicking on a phishing link. The bad news is that 14.2% of finance and insurance employees still clicked the link.

The average of all 10 industries surveyed was 19.8%, said the latest issue of Terranova Security’s 2020 Phishing Benchmark Global Report, released Monday.

Education was the least gullible industry sector surveyed, with only 11.3% going for the phishing bait. At the other end of the spectrum, public sector employees clicked on the link 28.4% of the time.

The survey results were tallied from the latest Gone Phishing Tournament, an annual cybersecurity event that uses a phishing simulation to collect representative data about phishing data. Generally speaking, phishing is an email, phone or text message that tricks someone into divulging sensitive data such as personally identifiable information, banking and credit card details, and passwords.

According to the 2020 Gone Phishing Tournament results, nearly 20% of employees are still quick to click on phishing email links, even if their organization already had either a security awareness or phishing-related training program in place. “Once those individuals clicked, the majority continued down a slippery slope,” the report said.

iStock.com/calvio

A total average of 67.5% of clickers entered their credentials on the simulation’s phishing webpage. The financial and insurance industries fared best at 61.1%; the public sector fared worst at 72.8%.

Even at the lowest levels, though, “those performance ratios still represent a click-to-submission ratio of at least six out of ten people, a figure that isn’t likely to impress business leaders and cybersecurity experts,” the report said. “These findings highlight why it is critical to establish, maintain, and optimize an effective security awareness training program and support it with real-world phishing simulations.”

This year’s tournament included global organizations of all sizes (from 1-99 employees, up to 3,000+). The tournament’s template was supported in 12 languages and participants came from 98 different countries (31% were from North America).

The results revealed a substantial year-over-year increase in participating end-user click rates. While 19.8% of all recipients in 2020 clicked on the phishing link, only 11% click on the link in 2019.

“The results outlined in the Phishing Benchmark Global Report come at the tail end of what has been a tumultuous year for businesses worldwide,” Terranova Security said in a press release. “The global COVID-19 pandemic resulted in many organizations changing how they work and featured a spike in remote or remote-hybrid workforce adoption. However, distributed virtual offices have lessened the effect of technical data protection measures and consequently put employees’ ability to successfully detect and avoid phishing threats under a microscope.”

Did the size of the organization (and possibly the resources at its disposal) affect the number of users who clicked the phishing link? “The short answer is not really,” the report said. “The phishing simulation used had a similarly significant impact across all organization size ranges.”

Location did matter, however. North American users struggled the most with the simulation. More than one-quarter from this region clicked on the phishing email link.

“Appealing directly to remote-based work policies, the scenario preyed on the anxiety and responsibility many professionals may be balancing during their organization’s digital transformation,” the report said. “As a global leader in both business and information technology, North American organizations in particular must improve these results if they hope to avoid repercussions from targeted cyberattacks down the road.”

Feature image by iStock.com/Chainarong Prasertthai