52% of employees admit to falling victim to email cyber attacks, research finds

52% of employees have admitted to falling victim to a Business Email Compromise (BEC) attack, according to Tessian’s 2022 Psychology of Human Error report.

Email security provider Tessian teamed up with academics from Stanford University to observe the cyber security impacts of hybrid working, 18 months on from their previous report in 2020.

Their research found that BEC attacks have become increasingly successful, with more than half of employees (52%) falling victim to a spear-phishing email where a cybercriminal impersonated a senior executive, up from 41% in 2020. Conversely, the percentage of employees who fell victim to a phishing attack whereby a cybercriminal impersonated a well-known brand dropped.

Jeff Hancock, Professor of Communication at Stanford University, who contributed to the report, explained: “Attacks are becoming more sophisticated because there is so much information about ourselves online now. The attacker knows more about their target than the target knows about the attacker and they’ll use that asymmetry to craft more targeted attacks and make their targets like them and trust them more.

“Attackers will also leverage the core principles of influence such as social proof, and a strong version of social proof is one that invokes authority. As humans, we are deferential to authority so if our default is to ‘do what the boss says’, and a cybercriminal impersonates a senior executive at the company, it increases the probability that the attack will work.”

It was also reported that just over one in four employees, 26%, had fallen for a phishing scam at work in the last 12 months, rising slightly from 25% in July 2020. Interestingly, younger employees were found to be five times more likely to click on phishing emails at work than older employees, with 39% of 18-24-year-olds admitting to falling victim.

People were also susceptible to phishing attacks over SMS (smishing), with one-third of respondents being duped by a smishing request in the last 12 months, compared to 26% of those who fell for phishing scams over email. Older employees were more susceptible to smishing attacks; one-third of respondents aged over 55 complied with requests in smishing scams versus 24% of 18-to 24-year-olds.

Josh Yavor, Chief Information Security Officer at Tessian, said: “As the threat landscape continues to evolve, and employees are targeted by more sophisticated and convincing email and smishing attacks, security leaders need to create a culture that builds trust and confidence among employees and improves security behaviours, by providing people with the support and information they need to make safe decisions at work.”