9% of users phished in less than 3 hours. Is phishing all about human behaviour?

Phishing exploit human nature by tricking unsuspected users to click a link and enter some data – usually their username and passwords into something looking innocent  – we all know that. It is all about human nature and not about technology. In one of hour test phishing campaigns, 9% of users – entered theirs credentials in to phishing site – first in less than 3 minutes after campaign started.

Screen Shot 2018-06-25 at 12.55.05

So is phishing all about human? Well, if I would be asked this question, I would say – if your software is not up to date – most likely there is more vulnerabilities to exploit. Phishing, however, is all about human behavior, it is about how easily user can be tricked to do something he/she shouldn’t.

We are running a simulated phishing campaigns for our customers – we send a batteries of prepared e-mails and monitor what users do. All e-mails are harmless they just link to our statistical, monitoring software. As presented on the picture bellow we can see that 9% of users were phished successfully by entering data – their credentials – it should be worrying.

Screen Shot 2018-06-25 at 12.33.35

There is something in those stats which always surprised me. Phished population often use out of date browser (right circle on the chart bellow) in contrast to non phished population (left chart).

Screen Shot 2018-06-25 at 12.39.32

There is a different proportion for different customers but the trend is there

Screen Shot 2018-06-25 at 12.50.30.png

I want to stress that we are not using browser vulnerabilities in our test phishing campaigns – we just send a simulate emails which have scripts monitoring user behavior, checking who click the link and who entered data – data is not going outside actually, we collect stats only.

Why the users who are more susceptible to phishing use out of date software – I am not sure – maybe it has something to do with how much attention they receive from their IT departments.

If you would like to know more about our phishing testing campaign please get in touch.