Ouch! Our Report Shows Why the Healthcare Industry Needs Better Phishing Defense

Cofense™ released new research last week on phishing in the healthcare industry. It’s one of those industries that routinely gets hammered by phishing and data breaches. In fact, according to Verizon’s most recent Data Breach Investigations Report, over a third of all breaches target healthcare companies1. One recently reported example: the phishing attack on the Augusta University healthcare system, which triggered a breach that may have compromised the confidential records of nearly half a million people.

None of this is surprising, considering that healthcare lives and breathes data. But our research also found this:

Healthcare lags behind other industries in resiliency to phishing.

This is a cross-industry comparison of healthcare and 20 other major verticals like financial services, energy, technology, and manufacturing. Healthcare’s ratio of email reporting vs. phishing susceptibility shows a meager resiliency rate of 1.34. By contrast, the energy industry’s rate is 4.01 and financial services’ is 2.52.

The Cofense report reveals lots more:

  • Further details on healthcare resiliency to phishing
  • The phishing simulations that fool healthcare employees the most
  • A breakdown of real phishing emails received by healthcare companies
  • A look at crimeware rates among select healthcare organizations

Cofense solutions are helping healthcare companies stop phishing attacks.

Our new report also examines how one healthcare company stopped a phishing attack in 19 minutes. The company uses Cofense solutions for phishing awareness and reporting, plus incident response and threat intelligence. Their complete, collaborative phishing defense prevented a costly breach.

Make sure you’re ready, too. View the report now!

To learn even more about healthcare and phishing, check out our Healthcare Resources Center where you’ll find videos, case studies, white papers, expert blogs, and more.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.


  1. Verizon, 2018.

The El Camino Effect in Anti-Phishing Training

Too often in anti-phishing training, or phishing defense in general, companies look for the wrong threats. That’s understandable to a degree, given that attackers constantly shift their tactics. But it’s a still a problem if, to use a bank heist metaphor, you’re looking for robbers who drive a Camaro vs. an El Camino.

Without training based on the latest and most relevant threats, you’ll increase the odds the bad guys get away. Sometimes when that happens, users unfairly get blamed. Not cool. As anti-phishing program administrators, it’s our responsibility to empower folks to succeed.

Understanding the El Camino Effect

To better frame a wholistic (strategic) approach to stopping phishing attacks, we need to understand the basic model outlined below. It shows why technology—normally, the first line of phishing defense—will  continue to be challenged and subverted by criminal actors.

The model shows how companies typically approach cyber-security with technology, along with the workaround attackers use. Imagine for a moment that several banks, the stand-in for users in this model, have been robbed by a gang of thieves driving a red Camaro.

The immediate response by security professionals (the police): be on the lookout for that red Camaro. Intelligence will be updated; firewalls and email gateways will be set to identify and stop further Camaro attacks in progress.

This is a good thing and exactly how technology should be utilized, but a significant gap in coverage remains. We must ask ourselves: what happens when the gang dumps the red Camaro and begins driving the blue El Camino instead?

An even more challenging question: are we really going to blame the banks (our users and victims) for being robbed because our security systems were looking for the Camaro instead of the El Camino? The same question applies to anti-phishing programs. Does it make sense to point fingers at users whose training isn’t as relevant as it needs to be?

Don’t Blame the Victims!

The answer, of course, is no. While I personally believe that improved anti-phishing requires appropriate use of the carrot and stick, it’s critical that any reinforcement achieves the results you want.

In anti-phishing, the focus needs to be on user reporting, not susceptibility. Understand that users are your last line of defense prior to a breach in the phishing kill chain. Rewarding them for reporting rather than falling victim is key to maintaining positive engagement and increased reporting of suspicious emails.

Too often, I see organizations go too far in the other direction, being too aggressively punitive.  Again, it’s fine to use the stick as well as the carrot, but not if it places blame on people who were trained to look for a Camaro and missed the El Camino. Let’s be clear about who’s to blame: first and foremost, the criminal hackers. And the responsibility for stopping them starts with us, the phishing awareness professionals, not our users.

A better solution begins when we understand (and admit to ourselves) that attacks will make it past perimeter defenses. Any assumption that technology alone will stop an attack is, quite frankly, irresponsible.

As the El Camino model demonstrates, any bank would (and by the way, most do) implement a response strategy for those times the criminals bypass the early warning and mitigation capabilities. Banks utilize silent alarms, activated and monitored by people, to protect against and respond to robberies in progress.

Anti-phishing programs need to do the same.

Collaboration is Key

At conferences over the last few years, security vendors have pushed a new silver bullet— machine learning and artificial intelligence. Honestly though, we should be learning a key lesson from decades of security breaches and the history of change in associated technology.

That lesson is simple: no single technology investment will stop all attacks on our networks and users.

Further, we need to recognize the leading security issue of our time: human interactions with and management of available technology. Put simply, we can no longer ignore the fact that criminal actors, security professionals, and victims are all people doing their best either to subvert or harden the protection of personal (private) and corporate (confidential) data and communications.

It is at this intersection of technology and people where we can achieve the most gains in cyber-security.

The first step is to implement solutions that empower not just awareness but the user’s capability to recognize, report, and mitigate threats. Working with your security teams, you need to base awareness training on active threats, whether they’re Camaros, El Caminos, or Ram trucks.

I have seen this collaborative, user-integrated model achieve stunning results, over and over and over. If we really want to stem the rising tide of breaches, we can’t make criminals of victims. Instead, let’s combine our security technology with well-trained humans. Let’s empower everyone to succeed—except the guys in the El Camino.

To learn more about phishing awareness effectiveness, view the 2017 Cofense™ Phishing Resiliency and Defense Report.


All third-party trademarks referenced by Cofense, whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

“Value at Risk”: Focus Your Anti-Phishing on the Bottom Line

Part 1 of 3:

Over the past year at Cofense, we’ve introduced and discussed the importance of elevating the visibility of anti-phishing programs to the Board of Directors level. The key measures we presented included a measure of capability we refer to as ‘resilience’ and enumeration of which specific attacks your organization may be facing.

As a result, the questions we are now answering for board members globally are –

  1. “What phishing threats do you need to be the most concerned with?”
  2. “How likely are you to stop those specific attacks in progress?”

In the same time frame, the World Economic Forum’s Partnering for Cyber Resilience initiative proposed a model for quantifying the financial impact of cyber-threats. It’s called value at risk (VAR) and can be quite useful when applied to phishing.

While the two measures mentioned above can and do begin to answer the questions already posed, they can also enable us to better understand and measure the Value at Risk associated with different types and models of attacks.

In other words, we can answer even more questions for your CEO and Board.

  1. “If this phishing attack breaches our network, how much will it cost us?”
  2. “Which phishing attacks should we worry about the most?”
  3. “Are we improving our capability to resist those attacks?”

Here’s How It Works

Most breaches begin as phishing attacks. People quibble over the exact stat, but no one doubts that phishing is the #1 attack vector. It’s easy enough to fool employees  into clicking on an email loaded with malware or a social engineering scam. One example: a crook in Lithuania fleeced Facebook and Google out of $100 million via emails spoofing a legitimate vendor asking for wire transfers.

To understand the risks of similar scenarios, a phishing-specific VAR model pulls together multiple data points to better visualize the impacts of:

  1. Known Active Threats —
    • Highlights the type and frequency of phishing attacks your company currently faces.


Note: The above graphic represents results of active threat phishing simulations run from March through May of 2018. Note the decline in resilience for those simulation models as the chart moves left to right. This indicates lower resilience for the threats listed to the right-hand side of the chart. Were these your company’s results, your program would best reduce current risk by focusing on repetition of those lower resilience simulations.

  1. Company Resilience to Known Active Threats —
    • A ratio representing the ratio of reporting to susceptibility
  1. Associated Dollars at Risk —
    • Identify and document the value of any impacts or losses from a phishing-related breach and the estimated cost of recovering from that breach.

These 3 factors can be tied together to provide a visual representation of phishing value at risk. In the chart below the X-axis represents the frequency of known attacks (increasing left to right). The Y-axis represents the capability to recognize and report (measured as the ratio of reported only over those susceptible in simulations) those specific threats. The size of the plot point indicates the value of data potentially exposed as part of your active threat simulations.

Plotting frequency (likelihood) of attack, your capability to recognize and report, and value of exposed data, as outlined above, shows your active-threat risk profile. The visual helps identify the specific types of attack your anti-phishing programs should focus on. To address higher-risk threats, simulate them more often.

Note: all threats identified on your chart represent a risk of exposure. Those plotted in the upper right are the most frequently faced and that your company is least likely to recognize and report.

To recap, knowing your phishing VAR means knowing the types and frequency of phishing attacks your organization faces, your ability to resist each type of attack, and the dollars each type might expose. An understanding of value at risk keeps your anti-phishing relevant, both in awareness training and incident response.

It also helps your leadership team make more confident decisions about risk tolerance, cyber-security investments, and risk mitigation strategies. You’ll be using your anti-phishing program data to figure out optimum ways to protect… data and dollars.

Next week in part 2, we’ll look at ways to assess the value of everything you protect. For another perspective on how to maintain your anti-phishing program, view our “Left of Breach” e-book.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Love Hurts – But Catphishing Doesn’t Have To

For the past few years we have discussed the power of emotion in phishing emails. This is never more valuable to understand than during the upcoming Valentine’s season. The traditions of gift giving to current partners and the romanticized notions of hearing from a secret admirer are so firmly ingrained in our minds that we become easy targets for scam artists.

Refocus Your Anti-Phishing From Vulnerability To Capability.

In our 2017 Enterprise Phishing Resiliency and Defense Report, PhishMe® discusses the importance of moving past susceptibility as a key indicator of anti-phishing program success. We want to shift the conversation from vulnerability (susceptibility) to capability (resiliency).

That is, what are an organization’s current anti-phishing capabilities—and how is positive behavior increasing them over time to build resiliency?

The chart below tracks behavior among our clients’ users during phishing simulations. In it, resiliency equals users that “reported only” divided by “all that fell susceptible.” (The latter includes those that reported after falling for simulated phishes.)

Figure 1 – Three-year Resiliency Trend across PhishMe Clients

As you can see, PhishMe clients using PhishMe Reporter® show consistent gains in the capability to recognize and report phishing simulations. In other words, they are becoming more resilient to attack.

Using our formula…

Resilience = Users that Reported Only/All Susceptible

…we can determine the current level of resilience, to any specific phishing simulation or known active threat model. It’s a snapshot of the capability to recognize and report.

To see how this capability changes over time, let’s look at a chart that measures all the ways users behave in simulations.

Figure 2 – Behavior Analysis Chart

While the ideal outcome would be for all tested users to report only, that’s unlikely to happen. But, we can track two other key percentages shown above:

  1. Responded to Simulated Phish – Did Not Report
  2. Responded to Simulated Phish – Reported

Because the change you want to see is the reporting of suspicious emails, you expect to see a steady increase in “reported only” or “responded and reported.” Thus, if you were to run the simulation above again to the same user base, you would want an increase in the 43.63% of “reported only” and the 2.25% of “responded and reported.” You would also want a decline in the 14.23% of users that did not report.

This shows how the real goal of anti-phishing programs goes beyond finding vulnerabilities. The longer-term goal is to fortify capability—to build resiliency. Simply put, you want every user that interacts with a simulation to report it.

To learn more about successful anti-phishing programs, be sure to download the 2017 Enterprise Phishing Resiliency and Defense Report.

PhishMe Clients Are Reporting Ransomware Emails. Are You?

With the steady rise in ransomware attacks and success, it’s highly likely that related phishing variants will continue to permeate the landscape in 2018.

While this is not a new threat, it’s one that you want to be truly prepared to face. With that in mind, we looked back into our 2017 data and what we found is good news for those clients running active threat ransomware simulations in their environment.

Across 246 simulations and more than 712k emails, the aggregate resiliency score was 2.63. This means that for every susceptible user, there were more than 2 that reported the threat in our simulations.



What this ultimately shows us is that clients can develop recognition and reporting capabilities for these types of attacks when active threat templates are used in immersive simulations. Further, it indicates that these organizations are better prepared to mitigate this threat should it materialize in their environments.

As we have discussed in past blogs, these results highlight the importance of understanding what your organization is seeing in terms of real attacks and that anti-phishing programs should focus on those threats to mitigate the risk of breach.

This represents a fundamental shift in how we think about getting ahead of hackers, APTs and other malicious actors. In the past, the conversation has always been about how fast we identify a breach after the fact.

Now, it’s about utilizing “crowd sourcing” as a strategy to catch hackers in the act.

At PhishMe®, we do this by ensuring our anti-phishing programs include spear-phishing simulations that target high value, at-risk users with scenarios that mimic real world attacks. Each immersive simulation includes reporting instructions for those that fall susceptible and conditions users to do their part for organizational security.

How to Pay It Forward

Utilize multiple intelligence sources to identify exactly who is being targeted by what type of phish and mimic those attacks on a broader scale to drive recognition and reporting of specific threats.

  1. Work with your intel and incident response teams to identify active phishing attacks against your organization.
  2. Model simulations based on those identified threats.
  3. Stress the importance of reporting for all users that recognize a phish (even in the event of susceptibility).
  4. Repeat low resiliency simulations to improve performance and increase organizational capabilities.

Take Action

As the data in this blog shows, we can prepare an organization’s users to resist active threats.

The key is developing the ability to act on what is being reported. In other words, until we analyze reports of suspected phishing attacks we are only collecting intelligence data.

It’s time to take that data and make it actionable.

Current PhishMe Triage™ Managed Services data shows us that 10% of reported (suspected) phish are, in fact, malicious. This means that 10 out of every 100 suspected phish that made it past your perimeter defense have the potential to cause a breach.

It’s through analysis of those reports and mitigation of validated threats that we pay ourselves (by reducing value at risk) and avoid paying ransoms to malicious actors. The companies in our data set above are prepared to do just that.

Are you?

To learn more about becoming more resilient to phishing, download the 2017 Enterprise Phishing Resiliency and Defense Report.