To lower phishing susceptibility, a major financial services company introduced Cofense PhishMeTM. By sending a strategic combination of simulated phishes, the company conditioned employees to recognize phishing scams.
Susceptibility dropped to under 10%.
By the end of the program’s first year, more than 95% of employees were resisting most simulations, failing four or fewer, a truly stellar result. And the number of repeat clickers dropped from nearly 1 in 3 to under 1%.
It’s important to raise the difficulty factor as users get better at spotting phishes. For example, when the company sent emails that offered popular holiday e-cards, the susceptibility rate went from 40% in the first simulation to less than 10% by the third.
It’s also vital that simulations reflect active threats in the wild. So, the company simulated a Locky ransomware email, a major threat in the financial sector. While this caused a spike in the susceptibility rate, it also lifted awareness of a dangerous attack type.
And reporting climbed to over 50%.
After getting great results with Cofense PhishMe, the company added Cofense ReporterTM to its anti-phishing arsenal, letting employees report emails with one click.
In less than a year after launching Cofense Reporter, over half the company was reporting phishing. In a recent simulation, the first report came before anyone took the bait. If this had been a real attack, incident responders could have hunted it down before widespread damage occurred.
And back to that Locky exercise…even when susceptibility was high, reporting hovered around 40%. The company has seen this trend over time and different scenarios. Susceptibility has ebbed and flowed, but reporting has been steady—a sign of growing resiliency against a mix of attacks.
To keep users on their toes, this financial company will likely continue to mix up phishing scenarios. Besides phishing employees by theme, the company might choose to test emotional motivators, those gut reactions to emails that often trigger phishing.
Something else the company might watch: in many organizations, susceptibility mirrors the employee turnover rate. Makes sense, since new employees are often new to anti-phishing, too.
We’re stoked to see this company continue to raise its game. Three years in, their performance is nothing short of exceptional.
Learn more about anti-phishing programs in Cofense’s 2017 Phishing Resiliency and Defense Report.