According to the latest Phishing Benchmark Global Report, based on results from the 2023 Gone Phishing Tournament (GPT) hosted by Fortra's Terranova Security, findings revealed that one in ten people are susceptible to phishing scams, clicking on dubious email links, potentially exposing confidential and sensitive information to cyber criminals.

The GPT is an annual virtual event that, with the help of Microsoft's phishing intel, measures and evaluates how employees respond to simulated phishing attacks, still among the most common (and most potentially harmful) cyber threats out there. The 2023 results emphasize how crucial implementing an engaging, informative security awareness training program is for security leaders. Ideally, components like phishing simulations and interactive, gamified learning modules work together to build an organizational culture where security is always a top priority.

The 2023 GPT demonstrated a stark reality: 60% of participants who clicked on the simulated phishing email compromised their business account passwords on the subsequent landing page. In a real-world scenario, this could have resulted in nearly 90,000 corporate passwords falling into the hands of hackers, paving the way for Account Takeovers (ATO), Business Email Compromise (BEC), and other nefarious activities.

"Amplify this reality by tens of millions of targeted end users, and there are still lots of opportunities for organizations of all sizes to better inform employees and third-party vendors," said Theo Zafirakos, CISO at Terranova Security. "With new AI-based tools at their disposal, bad actors can set up sophisticated attacks where browsers or security providers may not detect, and in turn inform, end users of potential risks. Because of this, accurately detecting and reporting phishing email messages is more of a human responsibility than ever before."

Key findings of the 2023 report include:

• 10.4% click-through rate on phishing simulation emails, marking a 3.4 percentage point increase from the previous year. (Note: the 2022 simulation template used a different context but targeted the same behaviors with its tactics).
• 6.5% of recipients submitted their passwords in the form embedded in the malicious webpage, a 3.5 percentage point rise from 2022, with 60% of clickers eventually compromising their passwords.
• For click rates by industry, the Finance sector posted the lowest click rate (6.2%) across all industries for the second year. The Transport sector (6.8%) came in second, followed by the Manufacturing sector at 7.7%. Conversely, the Education sector saw both the highest click and password submission rates, totaling 16.8% and 12.2%, respectively.
• Geographical trends showed South/Latin America with the best performance (7.8% click rate, 3.9% password submission) and the Asia and Pacific region the worst (14.9% click rate, 9.2% password submission). Europe scored a click rate of 9% and password submission rate of 5.6%, while North America finished with totals of 10% and 6.5%, respectively.
• Organizations with less than 100 employees posted the highest click rate (12.9%), despite being the size segment with the lowest click rate in 2022. Organizations with an employee count between 100 and 499 had the highest overall password submission rate (7.3%).
  

The GPT results webinar will take place on March 26 (EN) and March 27 (FR). Webinar speakers will include Zafirakos, as well as representatives from Fortra, Microsoft, and the National Cybersecurity Alliance.

"To truly secure confidential data, cyber security awareness and phishing training need to extend beyond minimum compliance, becoming a core part of an organization's culture from leadership to all team members," emphasized Zafirakos. "Real-world phishing simulations are critical, as they provide a safe, hands-on environment for learning and effectively mitigating risks through behavior change."

About the 2023 Gone Phishing Tournament (GPT)

The latest GPT took place between October 9 and 27, 2023, to coincide with Cybersecurity Awareness Month. With nearly 300 participating organizations and over 1.37 million phishing emails sent to participating end users worldwide, it continues to be one of the biggest phishing simulations of its kind. Increased participation year-over-year highlights how many organizations are moving to address the rapidly evolving nature of phishing threats.

As in previous years, Terranova Security worked with Microsoft to create the GPT phishing simulation email and webpage templates. The simulation emulated a common cyber tactic: a fake password expiration notification aimed at extracting user information.

The scenario measured several user behaviors, such as clicking on a link in the body of a phishing email and entering credentials-in this case, a business account password-into a phishing webpage form. Participants who submitted their password during the simulation were directed to a feedback page that provided just-in-time training.

The email and webpage spoofed the look of emails end users can receive related to account security. However, there was an important twist: The phishing simulation email prompted recipients to keep the same email associated with their account instead of resetting it, contradicting cyber security best practices.

Download the latest Phishing Benchmark Global Report to get all the results and facts from the latest edition of the GPT.