A report from security company Terranova highlights while phishing is such a common technique: it still fools a large percentage of targeted victims.
Almost one in eight North American employees would follow the instructions in a phishing email to the point where they'd download a malicious document from a spoofed website, according to the company's Security Phishing Benchmark Global Report. That would render them vulnerable to infection by malware, including ransomware.
The report found that 19.2% of North American employees clicked on an initial link in a phishing email. Over half of those that did went on to download a document from the malicious site, which means that overall, 11.8% of Americans would download a malicious document from a phishing site.
North Americans were more skeptical than most. In the Asia-Pacific region, 16% of people got to the point where they downloaded a malicious document, followed by Africa (15.3%), South America (15.1%), and Europe (14.9%).
On average, one in five users around the world clicked the link in the initial email, while 14.4% ended up downloading the document.
The worst offender by industry sector was education, where 21.9% of people reached the stage where they downloaded a malicious document. The IT industry, where you'd expect people to be tech-savvy, was the second worst performer.
The best defence against ransomware
How ransomware is evolving and how to defend against it
Healthcare and retail are the most diligent about phishing, with fewer than one user in 20 taking the bait. This could be because healthcare is so heavily regulated and retail has seen significant numbers of attacks.
The results came from the Global Phishing Tournament, an annual event that sent almost a million simulated phishing emails to test employee readiness during two weeks in October (Cyber Security Awareness Month).
The phishing emails, sent in 20 different languages, used templates from Microsoft that sent victims to a fake SharePoint page. The message included instructions on how to download the malicious file.
Phishing attackers continue to innovate so that their malicious emails bypass technical protections to reach users. Last month, researchers found them tampering with CSS to hide their phishing content from scanners.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing.
Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.