1 in 3 Employees Fall for Phishing Attacks Without Training

A recent study by KnowBe4, a cybersecurity company, proved that it is not advanced technology but people who are the weakest link regarding business security. More specifically – untrained personnel.

The 2022 Phishing By Industry Benchmarking report states that up to 32.4% of untrained employees are likely to click a malicious link in a simulated phishing attack. This means that, statistically, one out of three people without prior cybersecurity training will fall for a social engineering attack.

Who is most likely to fall victim?

The results of the 2022 report are even more alarming when looking at specific industries and organizations. According to the document, several large companies (more than 1,000 employees) have exceeded 40% of their staff, likely to fall for phishing scams. Here are the most concerning examples:

  • banking industry with 43.5% of employees prone to manipulation;
  • insurance industry with 52.3% of employees prone to manipulation;
  • consulting industry with 52.2% of employees prone to manipulation[1].

However, the report does not end there. KnowBe4 also included employees of organizations providing training in its study. The results show that even 90 days of security awareness training can seriously reduce the risk of falling victim to a social engineering attack. The test resulted in 17.6% of employees falling victim. That’s a big drop from the previous 32.4%.

The same test conducted on employees with more than a year of consistent security training was even more promising. The simulated phishing attack fooled only 5% of users.

Why is phishing so powerful?

Business owners are afraid of cyberattacks for a good reason. Hackers and malicious software can generate financial losses running into millions of dollars. However, as the report states, 82% of breaches in 2022 involved human error.

Cybercriminals have long discovered that exploiting people is cheaper and easier than developing sophisticated malware and focusing on the technical side of corporate security. Unfortunately, many organizations continue to ignore this fact. Employees are left without proper training while criminals perfect their methods.

Companies are investing huge amounts of money in advanced software and technology, which of course, is very important, but neglecting staff training can defeat these precautions. This is especially evident after the pandemic crisis when many businesses operate online and are more susceptible to cyberattacks.

What is proper training?

The 2022 Phishing By Industry Benchmarking report proves that proper training can reduce the risk of employees falling for phishing attacks and exposing confidential information to cybercriminals. According to the study, even 90 days of staff training can increase awareness.

What should such training include? KnowBe4 says it’s good to conduct a baseline, simulated phishing attack, demonstrating the need for improvement. Experts advise introducing employees to engaging videos and interactive course materials instead of boring presentations and lectures.

Employees should learn to recognize malicious e-mails, links, and websites. This, of course, takes time, so one training session every now and then is not enough. Training should be consistent. Staff should check e-mail senders, website safety protocols, or scanning messages for obvious evidence of fraud (such as misspellings).

Last but not least, it’s a good idea to test employees from time to time by conducting a simulated phishing attack. This reinforces new habits and improves awareness.

How can companies improve their security?

Phishing awareness training is the most important part of reducing the risk of a breach by human error, but let’s not forget other safety measures, such as:

  • Other cybersecurity training. Phishing, while common, is not the only problem when it comes to human error. There are other ways to compromise a company’s safety, such as leaving work devices unattended or downloading files from untrusted sources.

Cybersecurity training should also include the proper use of antimalware software, creating and storing passwords, securing devices by enabling MFA, etc.

  • Improving safety by implementing security tools. Trained personnel and secured infrastructure are two entities that work best when combined. A well-secured company should invest in the right safety measures, such as good software.

It is also important to remember to secure connections – especially for companies that operate online and hire remote workers. Experts advise using a trusted VPN, such as Nord VPN to protect data by creating strong encryption and reduce the risk of information being stolen by hackers.

  • Limiting data access. No employee should have access to every bit of company data. It is a good idea to limit access to data so that each staff member can do their job but cannot compromise other information. This reduces the risk of confidential data exposure in a potential breach or attack.


[1] Source: 2022 Phishing by Industry Benchmarking Report


Leave a Reply

Your email address will not be published. Required fields are marked *