Job Security: Certain Industries More Susceptible to Phishing

When it comes to falling prey to a phishing email scam, one study found that those working in certain industries are more likely than others.

A study released this summer by KnowBe4 found that those who work in construction are the most susceptible to phishing attacks among small-to-medium-sized businesses and the second-most likely to fall for a phish among large corporations.  Workers in the hospitality industry were most likely in the large business category.

Cybersecurity Live - Boston

The “Phishing by Industry 2019” report analyzed data from nearly 9 million users across 18,000 organizations with simulated phishing security tests across industries in three categories: small, up to 250 workers; medium, 250-999; and large, 1,000 and more. In addition to construction and hospitality, other industries that fared poorly included retail/wholesale, insurance, manufacturing and energy/utilities.

An Old Strategy That Still Packs a Punch

KnowBe4 refers to the likelihood of falling for phishing as a “phish-prone percentage,” or PPP. The PPP, they said, is an indicator of how many employees in an organization are likely to fall for a social engineering or phishing scam. The survey found the overall PPP among end users rose 2.6% in 2019 to 29.6%.

Dave Gruber, senior analyst with Enterprise Strategy Group, noted that, regardless of industry, phishing continues to be a stealth and effective way to snare victims.

“Simple, mass-targeted phishing emails have become far more sophisticated, with today’s phishing attacks often comprising multiple, targeted emails to specific people at select companies,” said Gruber. “As bad actors become savvier in their approaches, they gather publicly available information about empowered individuals and then attempt to trick unsuspecting subordinates by making specific requests for payments or redirected funds. These attacks can start using email or involve texting to further convince users that the request is from a valid source.”

Gruber also cited FBI statistics to note how much the business email compromise (BEC) form of phishing has gained ground as a tactic in all industries. According to the FBI 2018 Internet Crime Report, financial losses from BEC have increased by 427% to $1.3 billion since 2015, he noted.

Awareness Training Can Improve Click Rates

KnowBe4, which provides awareness training, did note in its report that training led to better eventual outcomes in organizations that had high levels of susceptibility. In the construction industry, 90 days of combined computer-based training and simulated phishing security testing lead to a decrease in their PPP numbers in companies of all sizes. After 12 months, the reported PPP fell further.

Kurt Alaybeyoglu, senior associate with The Chertoff Group, said security awareness training should be an organization’s first line of defense, followed by regular phishing tests to train users on what to look for and turn them into capable sensors for your organization. But awareness still offers only limited effectiveness, and other tools need to be considered for phishing risk mitigation.

“With all this doom-and-gloom, one might wonder if there’s anything that can be done to defend the organization from current phishing attacks—and, unfortunately, the short answer is no, at least not specifically from phishing attacks,” said Alaybeyoglu. “Instead, organizations should focus on defense-in-depth, which the information security community has been promoting for over a decade.”

Joan Goodchild

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Joan Goodchild

Joan is a veteran journalist, editor and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

joan-goodchild has 37 posts and counting.See all posts by joan-goodchild