Tech workers are more likely to fall for phishing emails
Personnel working in IT or DevOps are more likely to click on phishing emails than those in other areas of an organization.
A new study by F-Secure looks at how over 80,000 people from different organizations responded to emails that simulated one of four commonly used phishing tactics.
The results show 22 percent of recipients who received an email simulating a human resources announcement about vacation time clicked, making emails that mimic those sent by HR the most frequent source of clicks in the study. An email asking the recipient to help with an invoice (referred to as CEO Fraud in the report) was the second most frequently engaged with email type, receiving clicks from 16 percent of recipients.
Document Share (notifications from a document hosting service) and Service Issue Notification (messages from an online service) emails received clicks from seven percent and six percent of recipients, making them the least frequently clicked emails in the study.
Perhaps the most interesting finding though is that in two organizations studied with personnel working in IT or DevOps, staff clicked test emails at rates that were either equal to or higher than other departments in their organizations. 26 percent from DevOps and 24 percent from IT compared to 25 percent overall for one organization, and 30 percent from DevOps and 21 percent from IT compared to 11 percent overall for the other organization.
These teams are no better at reporting phishing either. In one organization, IT and DevOps came third and sixth out of nine departments in terms of reporting. In the other organization, DevOps was the twelfth best at reporting out of seventeen departments, while IT was fifteenth.
"The privileged access that technical personnel have to an organization's infrastructure can lead to them being actively targeted by adversaries, so advanced or even average susceptibility to phishing is a concern," says Matthew Connor, F-Secure service delivery manager. "Post-study surveys found that these personnel were more aware of previous phishing attempts than others, so we know this is a real threat. The fact that they click as often or more often than others, even with their level of awareness, highlights a significant challenge in the fight against phishing."
You can get the full report from the F-Secure site.