Gone Phishing 2023: Here Are the Results!

Phishing is one of the most pertinent cybersecurity dangers for organizations to be concerned about in today’s digital landscape. Threat trends come and go, but phishing is a tried-and-true method that cybercriminals can adjust and adapt to all different manners of communication and evolving technology.

Fortra’s Gone Phishing Tournament (GPT) is a yearly training event, available for free all around the world. The goal is to provide users with a phishing simulation and measure their responses to gain an understanding of how prepared participants are to prevent attacks via a range of metrics. Below are some of the key findings of the 2023 GPT.

The Importance of Phishing Simulations

The crux of phishing as a threat is that it requires action on the part of the victim in order to take effect. Bad actors can send as many phishing messages as they are capable of, but they rely on their targets falling for their deception. For this reason, training employees to recognize the signs of a scam and prevent phishing attacks can be an organization’s strongest defense.

Employee security awareness training comes in many packages and can cover a wide range of topics, with phishing being one of the most fundamental. While regular and thorough training goes a long way toward protecting an organization, it is also important to measure the efficacy of this training with exercises like phishing simulations.

Phishing simulations enable organizations to gain visibility into how prepared their employees are for phishing threats. This includes specific and detailed metrics such as which employees within the organization are high-risk and which roles inherently pose a risk to the organization.

Gone Phishing Tournament 2023 Results

The results from last year’s GPT highlight the state of anti-phishing measures by creating a window into employee responses to phishing emails. With data from almost 300 participating organizations and over 1.37 million end users across 142 countries, the GPT results provide a broad overview of user behaviors in response to phishing emails, as well as insight into trends by industry and region.

Overall, 10.4% of participants clicked on the malicious link contained within the simulation, and a total of 6.5% of participants went on to submit their password to the deceptive phishing page linked in the email. This means that approximately 62% of all the end users who clicked the phishing link also submitted their passwords. If this simulation had instead been an actual phishing attack, nearly 90,000 passwords would have fallen into the hands of cybercriminals for their nefarious purposes.

This data is broken down in a number of ways in order to provide additional insights, including:

• The participants most likely to click on phishing links are those in education (16.7%), construction (15.8%), and service providers (15%), while the least likely are those in finance (6.3%) and transport (6.8%).
• Users in the education industry also have the highest rate of submitting their passwords to the malicious phishing site (12.2%), followed by service providers (10.8%) and not for profit organizations (8.7%).
• The industries with the lowest rates of submitting passwords to the phishing site are agriculture and food (2.5%) and finance (2.8%).
• The education industry also shows the highest ratio of users clicking the malicious link to users submitting their passwords, at 72.8%, followed by the public sector (72.7%), consumer products (72.2%), and service providers (72.1%). The lowest ratio is the agriculture and food industry at 29.1%.
• Organizations with 1-99 employees demonstrate a higher click rate than larger organizations, possibly due to a lack of resources for security training and tools. However, their ratio of clickers to users who submitted their password is the lowest of all organization sizes at 50%.
• South/Latin America is the region with the lowest rate of users clicking the phishing link (7.8%) and users submitting their password (3.9%). The Asia and Pacific region shows the highest rate of both clickers (14.9%) and password submitters (9.2%).

Strategies for Effective Phishing Training

Organizations hoping to build an effective defense against phishing should prioritize training their employees in how to recognize, identify, and respond to phishing attempts. This is a process that begins with knowing the dangers of phishing and the biggest risk factors relevant to the particular organization. It is also necessary to have an understanding of the baseline abilities of employees to gauge their improvement through training and simulations.

There are many different types, goals, and methods of phishing that organizations must protect against, and it is important to learn about the ways that phishing can endanger a company and its assets. Utilizing a security awareness training program that highlights common threats and risky user behaviors, organizations can ensure that their employees are equipped to avoid falling victim to a phishing scam.

Phishing tactics are always getting more advanced as bad actors take advantage of emerging technology like artificial intelligence (AI) to make their attacks more sophisticated and effective. Organizations should implement training that teaches users about the dynamic and versatile nature of phishing and the different ways that cybercriminals can leverage phishing tactics for their own gain.

Conclusion

The GPT is one of the largest phishing simulation tests in the world, providing valuable insight into the state of phishing preparedness across many industries and countries. The methodology is designed to be a controlled environment to avoid external factors impacting user response in an effort to keep the data precise and reliable. This data can help many organizations to understand their security posture better and improve their anti-phishing training and other measures.

To learn more about the Gone Phishing Tournament, including its methodology and thorough results, download the full 2023 GPT report here.