IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

One in eight Americans would fall victim to a phishing attack

Phishing remains an effective attack mechanism, finds global test

A report from security company Terranova highlights while phishing is such a common technique: it still fools a large percentage of targeted victims.

Almost one in eight North American employees would follow the instructions in a phishing email to the point where they'd download a malicious document from a spoofed website, according to the company's Security Phishing Benchmark Global Report. That would render them vulnerable to infection by malware, including ransomware.

The report found that 19.2% of North American employees clicked on an initial link in a phishing email. Over half of those that did went on to download a document from the malicious site, which means that overall, 11.8% of Americans would download a malicious document from a phishing site.

North Americans were more skeptical than most. In the Asia-Pacific region, 16% of people got to the point where they downloaded a malicious document, followed by Africa (15.3%), South America (15.1%), and Europe (14.9%).

On average, one in five users around the world clicked the link in the initial email, while 14.4% ended up downloading the document.

The worst offender by industry sector was education, where 21.9% of people reached the stage where they downloaded a malicious document. The IT industry, where you'd expect people to be tech-savvy, was the second worst performer.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

Healthcare and retail are the most diligent about phishing, with fewer than one user in 20 taking the bait. This could be because healthcare is so heavily regulated and retail has seen significant numbers of attacks.

The results came from the Global Phishing Tournament, an annual event that sent almost a million simulated phishing emails to test employee readiness during two weeks in October (Cyber Security Awareness Month).

The phishing emails, sent in 20 different languages, used templates from Microsoft that sent victims to a fake SharePoint page. The message included instructions on how to download the malicious file.

Phishing attackers continue to innovate so that their malicious emails bypass technical protections to reach users. Last month, researchers found them tampering with CSS to hide their phishing content from scanners.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022