Canadian Underwriter

Phishing experiment nets insurance and finance industries

December 9, 2021   by Canadian Underwriter Staff

Print this page Share

More than a quarter of finance and insurance professionals took the bait when a phishing email hit their inboxes, said a study from a Laval, Que.-headquartered security awareness training firm.

For users across all industries surveyed, nearly one in five (19.8%) who received a simulated phishing email as part of a global experiment clicked the link in the initial message, said Terranova Security’s 2021 Phishing Benchmark Global Report, released Dec. 2.

Worse, 14.4% of users did not realize the simulation’s resulting webpage was unsafe and clicked the download link for a malicious file.

The report shows the value of using phishing simulations to teach people in organizations about cyber threats, said Terranova’s CEO Lise Lapointe.

“By testing end-user knowledge with simulated attacks similar to threats they may encounter in their everyday activities, organizations can more easily change user behaviors and keep their sensitive information safe,” she said in a press release.

Users who clicked the link that would have, in a real phishing attempt, resulted in a malware download were sent to a page that spelled out warning signs and gave tips on how to avoid future threats.

Nearly one million phishing simulation emails in 20 different languages were sent. To enhance the bait, the email and webpage spoofed Microsoft’s SharePoint interface and the email included instructions for downloading the file.

Other report highlights include:

  • Regionally, North America fared best at not downloading the malware document (11.8%), and Europe was the runner-up (14.9%).
  • By industry, education, finance and insurance, and IT had the highest totals, all scoring over 25%. But healthcare, transport and retail all kept click rates below 10%.
  • IT had the highest click-to-download ratio across all industries, with 84% of those who clicked on the initial phishing link eventually downloading the malware file.

“When you consider [the tournament] takes place during Cybersecurity Awareness Month every year, it’s clear that there’s room for improvement across the board,” said Terranova CISO Theo Zafirakos in the release.


Feature image by