How good are your employees at spotting phishing emails? There’s a really easy way to find out. Send each one of them a fake phishing email and see how many click. And that’s exactly what Tribune Publishing, publishers of the Chicago Tribune, did recently, and boy did it backfire.
According to The Big Lead, “The media giant has spent the last few years cutting staff at newspapers across the country, leaving workers underpaid and overworked. On Wednesday the company sent out emails to employees suggesting they would be getting raises for all their hard work. It turns out it was a test to see how susceptible they were to a phishing scam. Needless to say, the employees were furious.”
The article goes on to detail the furious responses of some employees to the insensitive phishing test. What the article didn’t mention, however, is how many employees fell for the scam and clicked on a link. It was probably a lot.
The sad thing about this incident is it didn’t have to happen. Tribune didn’t have to test their employees with fake phishing emails to know many of them wouldn’t pass the test. There’s already been plenty of research to confirm that.
Research recently published in the Journal of Cybersecurity concluded that when “a phishing email aligns with a user’s work context, it is much more challenging for users to detect a phish.” In other words, when an overworked and underpaid employee is told they’re going to be rewarded with a raise, they’re going to click on the link. You don’t need to run a test to confirm it.
What the research also found was, when the phishing email aligns with the worker’s context, the clickthrough rates can be shockingly high. For example, emails about safety requirements (49.3%), unpaid invoices (20.5%) and scanned files (19.4%) had the highest click rates. Almost half click on safety-related phishing emails!
Maybe you think it’s unfair to target employees with such an insensitive test, and that makes their employers the “bad guys”. Do you know who else are bad guys? Hackers. And this is the exact type of messaging they’d use to target your employees. Better that it be during a test. Of course, there’s something more effective at stopping phishing attacks than “awareness” tests and it has zero chance of offending employees: cloud-based email security like Phish Protection.
Phish Protection doesn’t care if employees can pass a fake phishing email test because Phish Protection keeps phishing emails out of inboxes. So, there’s no need to even run a test with Phish Protection and therefore, there’s little chance of aggravating employees.
Since Phish Protection is cloud-based, it requires no upfront investment, sets up in 10 minutes and works with all major email providers. Best of all, it costs only pennies per employee per month.
If you want to protect your organization from phishing attacks, and you care about your employees, you’ll skip the phishing test and go right to Phishing Protection—cloud-based email security for cost-conscious companies. Try it free for 60 days. Your employees will thank you for it.