Please fill in the form below to subscribe to our blog

What Phishing Tricks Do Employees Fall for?

June 10, 2022

See What Hooked Employees in Training Sessions with BullPhish ID

Phishing is the scourge of business cybersecurity. The precursor to many devastating cyberattacks like ransomware, account takeover and business email compromise, it’s also one of the toughest threats for IT professionals to conquer in an organization. Employees are notoriously bad at spotting and stopping phishing without consistent security and compliance awareness training, creating security risks that cybercriminals are more than happy to exploit. Learning more about how phishing has evolved and exactly which phishing tricks employees are likely to fall for can help provide insight into how to make all the right security moves to blunt the impact of phishing. 

Excerpted in part from The Global Year in Breach 2022 available now! GET IT>>

Drill down to the bottom line to see why security & compliance awareness training is a smart investment. GET IT>>

The Influences That Shaped Today’s Email Security Landscape 

These 2021 trends underpin the business email security picture right now and lay the foundation for future challenges that organizations will face. 

Phishing-Related Cybercrime is Booming

Phishing paved the way for other damaging cyberattacks

Get the cheat codes to defeat cybercrime in our eBook The Security Awareness Champions Guide GET IT NOW>>

Here Are the Scams That Employees Fall for In Training Sessions 

Untrained employees are a massive security risk because they’re highly likely to fall for the most common cyber threat they’ll face: phishing. An estimated 97% of users are unable to detect a sophisticated phishing email. Our award-winning security and compliance awareness training solution BullPhish ID is used by organizations of all sizes in a wide variety of industries. Analyzing the results of thousands of phishing resistance training sessions and phishing simulations with BullPhish ID illustrates the degree to which phishing is an ongoing challenge to conquer as well as the phishing scenarios in which employees are most likely to take the bait.

2021 BullPhish ID Phishing Resistance Training Totals    

  • Total number of training campaigns created – 81,484 
  • Total number of phishing simulation emails sent – 2,424,762   
  • Total number of clicks on phishing simulation emails – 106,670 

Top 3 Security Awareness Training Courses of 2021 

  1. Phishing: Introduction to Phishing – 150,163 created trainings 
  2. How to Avoid Phishing Scams – 129,666 created trainings 
  3. Phishing: The Dangers of Malicious Attachments – 100,265 created trainings 

Top Phishing Simulations That Successfully Drew Employee Interaction   

  1. Office 365 – Suspicious Login – 10,879 clicked   
  2. FedEx – Package Delivery – 6,535 clicked   
  3. Google Docs – Invitation to Edit – 4,492 clicked   

Top Phishing Simulations That Captured Credentials & Data    

  1.  FedEx – Package Delivery – 2,056 captures   
  2. Office 365 – Suspicious Login – 1,736 captures   
  3. COVID-19: SharePoint Webinar – 1,440 captures  

Get a step-by-step guide to building an effective security and phishing awareness training program. GET GUIDE>>

Top 10 Industries That Fell for the Bait in Phishing Simulations

Employees in every sector are susceptible to phishing, including IT, the sector that topped the list for failing phishing simulations. These are the top 10 industries where employees fell for the bait in a phishing simulation and supplied their credentials. The number of failures in each industry studied is included.

  1. High-Tech & IT — 3,755    
  2. Medical & Healthcare — 3,504  
  3. Other — 4647  
  4. Manufacturing — 1,801    
  5. Non-Profit Organization — 1,758   
  6. Education & Research — 1,522  
  7. Finance & Insurance – 1,239  
  8. Business & Professional Services – 1,144  
  9. Retail & Ecommerce — 1,046  
  10. Legal — 704 

See cybercrime trends & the results of thousands of phishing simulations in The Global Year in Breach 2022. DOWNLOAD IT>>

Brand Impersonation is All Too Effective 

As you can see from the real phishing simulation data we’ve delivered above, brand impersonation, misrepresentation or spoofing is a tremendously effective way for the bad guys to get the job done. The Verizon Data Breach Investigations Report 2021 shows the rapid rise of brand impersonation, called Misrepresentation in this report. The threat clocked in 15 times higher in 2021 than it did in 2020. Today’s work circumstances lend themselves well to brand impersonation scams. High email volumes translate into high volumes of phishing messages headed for employee inboxes. Add the continued reliance on email as remote work continues and the increasing sophistication of phishing messages to the mix and this combination of factors creates the perfect climate for brand impersonation scams to thrive.  

Employees encounter brand impersonation frequently – 25% of all branded emails that companies receive are spoofed or brand impersonation attempts. Traditionally Microsoft holds the top spot on the list of most imitated brands. But DHL surpassed them at the end of 2021, accounting for almost a quarter of branded phishing attempts. Microsoft still came in at number two, present in one-fifth of brand impersonation phishing schemes. Communication juggernaut WhatsApp came in third with Google just on its heels. LinkedIn is a perennial cybercriminal go-to, but Facebook (now going by Meta) has fallen out of fashion.  

The 10 Most Impersonated Brands

  1. DHL 23%   
  2. Microsoft 20%   
  3. WhatsApp 11%   
  4. Google 10%   
  5. LinkedIn  8%   
  6. Amazon  4%   
  7. Roblox  3%   
  8. FedEx  3%   
  9. PayPal  2%   
  10. Apple  2%   

Source: ZDnet

See the top 5 risks businesses face from nation-state cybercrime and how to stay out of trouble. GET LIST>>

Untrained Employees and Email Are a Recipe for Data Loss  

In a recent study, data loss via email was cited as the top data security risk that businesses face today. Employee negligence and lack of understanding about data security are big contributors to the problem. Researchers determined that 73% of organizations in the study were concerned that employees do not understand the sensitivity or confidentiality of data they share through email. That lack of understanding is visible across an organization. Marketing and public relations departments are most likely to put data at risk when using email (61%), closely followed by production/manufacturing (58%) and operations (57%). 

Why does this keep happening? Even knowing about the risk of data loss via email, most organizations do not have adequate training in place to educate employees about data handling and email safety. The researchers in this study determined that while 61% of the IT leaders surveyed said that their organizations had some kind of security awareness training program in place, only about half of them felt that those programs properly addressed the sensitivity and confidentiality of the data that employees can access or transmit via email. 

Is it time to update your security awareness training policy – or create one? These 6 tips can help! DOWNLOAD NOW>>

Security and Compliance Awareness Training Dramatically Reduces Phishing Risk

Did you know that security and compliance awareness training can reduce an organization’s chance of experiencing a cybersecurity incident like phishing by up to 70%? Training is one of the smartest high ROI technology investments an organization can make.

BullPhish ID is the ideal training solution for companies of every size. It’s packed with features that make the training process efficient, effective and easy for everyone.  

Preloaded phishing kits help employees learn to spot and resist the phishing lures or scenarios they face every day.   

Video lessons on subjects like ransomware, compliance, password safety, security hygiene and more give every employee a solid grounding in cybersecurity best practices.  

We add 4 new videos a month in 7 languages to make sure that your users are trained on the risks and compliance requirements that they’re facing right now!  

Automate training delivery, testing and reporting.   

Book a demo of BullPhish ID now! 

dark web threats

Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!