Report: IT staff fail phishing tests more often than non-technical workers

Abstract image showing an envelope floating above digital blocks to symbolise phishing emails
(Image credit: Getty Images)

A new report of more than 80,000 professionals in different business sectors has revealed technical staff are just as, if not more likely, to fail an internal phishing exercise at work.

After issuing pseudo phishing emails to employees in businesses in the finance, retail, and manufacturing sectors, F-Secure revealed how the most technically competent workers were in some cases even among the worst respondents to phishing emails in terms of opening the email, failing to report the email as a phish, and clicking through on links within the email body.


The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management


Analysis of the results from respondents in two business sectors, finance and retail, showed DevOps teams were consistently among the worst-scoring workers in a company. DevOps workers were the second-most susceptible group to open phishing emails in the finance industry (26% open rate) and the third-most susceptible (30% open rate) in the retail sector too.

Dedicated IT workers also fared poorly in comparison to their colleagues in terms of open rate too. In finance, IT workers were the fourth-most susceptible with an open rate of 24%, narrowly less than DevOps, and were also in the bottom 50 percentile in retail, with an open rate of 21%.

"The privileged access that technical personnel have to an organisation’s infrastructure can lead to them being actively targeted by adversaries, so advanced or even average susceptibility to phishing is a concern,” said Matthew Connor, service delivery manager at F-Secure.

"Post-study surveys found that these personnel were more aware of previous phishing attempts than others, so we know this is a real threat. The fact that they click as often or more often than others, even with their level of awareness, highlights a significant challenge in the fight against phishing.”

Sample phishing email seemingly from the CFO

(Image credit: F-Secure)

When it came to reporting suspicious emails, IT workers were just third-best out of nine departments in the finance industry with DevOps among the worst at sixth. These figures did not translate to retail, though, as IT staff scored as low as third-worst in the entire organisation with 14 departments, including DevOps, showing a higher reporting rate of suspicious emails.

F-Secure noted that there was a distinct difference in the companies whose email providers offered a simple, easy-to-find 'report phish' button within the email client. those with access to such a button consistently scored better in reporting suspicious emails, suggesting organisations need to make the reporting process easier for employees.

"It’s all about making the reporting process as quick and easy as possible," said Chris Maley, head of delivery at F-Secure Phishd. "The quicker and easier it is for an end user to report a suspicious email, the more likely they are to actually do it."

Sample phishing email seemingly from the HR department

(Image credit: F-Secure)

The researchers used three random phishing email templates: one purporting to be from the company CFO, one from a fake file-sharing service, and a fake email from the human resources department. These were distributed randomly throughout the participants and there was no discernable difference in success or failure depending on the type of email received.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.