Over half of employees are falling victim to spear phishing

Over half of employees have admitted to falling victim to a Business Email Compromise (BEC) attack, according to Tessian’s 2022 Psychology of Human Error report.

Tessian teamed up with academics from Stanford University to observe the cyber security impacts of hybrid working, 18 months on from its previous report.

The research found that BEC attacks have become increasingly successful, with more than half of employees (52 per cent) falling victim to a spear phishing email where a cybercriminal impersonated a senior executive, up from 41 per cent in 2020.

Conversely, the percentage of employees who fell victim to a phishing attack - whereby a cybercriminal impersonated a well-known brand - dropped.

“Attacks are becoming more sophisticated because there is so much information about ourselves online now,” said Jeff Hancock, Harry and Norman Chandler Professor of Communication at Stanford University. 

Younger staff more susceptible

”The attacker knows more about their target than the target knows about the attacker and they’ll use that asymmetry to craft more targeted attacks and make their targets like them and trust them more.

“Attackers will also leverage the core principles of influence such as social proof, and a strong version of social proof is one that invokes authority,” he continued.

”As humans, we are deferential to authority so if our default is to ‘do what the boss says’, and a cybercriminal impersonates a senior executive at the company, it increases the probability that the attack will work.”

Just over a quarter of employees had fallen for a phishing scam at work in the last 12 months, rising slightly. Interestingly, younger employees were found to be five times more likely to click on phishing emails at work than older employees, with 39 per cent of 18-24-year-olds admitting to falling victim.

People were also susceptible to phishing attacks over SMS (smishing), with one-third of respondents being duped by a smishing request in the last 12 months, compared to 26 per cent of those who fell for phishing scams over email.

Older employees were more susceptible to smishing attacks; one-third of respondents aged over 55 complied with requests in smishing scam versus 24 per cent of 18-to 24-year-olds.

Josh Yavor, chief information security officer at Tessian, said: “As the threat landscape continues to evolve, and employees are targeted by more sophisticated and convincing email and smishing attacks, security leaders need to create a culture that builds trust and confidence among employees and improves security behaviours, by providing people with the support and information they need to make safe decisions at work.”