Are you worried about phishing or other social engineering attacks in your organization? You should consider some white hat phishing tests internally to gauge how your team would be impacted by a phishing attack. Measuring the phishing click rate, otherwise known as the response rate, is important to understanding how dangerous phishing is to your business.

Measuring your phishing click rate is just the first step. The next step is decreasing that rate. Ultimately, your goal is to get this number down to 0% — which will never happen. Various stats out there exist, but varying reports show users acting on phishing emails at a rate between 10 – 30%!

Considering it only takes one user to cost your company millions in lost data, lawsuits and stolen intellectual property, it’s worthwhile to try to get this number as close to zero as possible. Here are 3 quick tips to decrease your organization’s phishing click rate.

1. Run Phishing Penetration Tests and Educate

Run your own penetration test, focused specifically on identifying your current phishing click rate. As users fall for your trap, alert them on the landing page. Tell them what they should have spotted with a screenshot of your email with clearly defined arrows and circles that should have indicated that this was a phishing attempt. Also, include a survey box and ask them why they clicked the email. If they don’t answer, go ask in person or via email.

In our article on social engineering attacks, Drew Parrish, a Help Desk Specialist at Wabash College offered some ideas, “Send out blatantly obvious phishing emails with ridiculous email addresses and links to click.” According to Drew, after a year of testing, phishing click rates dropped nearly 100% on the harmful links.

By making these tests obvious, you exaggerate the indicators users should be looking for. On subsequent tests, you should be making these more difficult to identify for the user.

An important step is also to educate the user beyond just the landing page. For people who click on the phishing test, send them more phishing tests than other users. Offer them lunch and learn opportunities — yes, that means you buy the pizza!

2. Make Education Mandatory For New Hires

By educating new employees on the importance of avoiding phishing scams, you show the importance of this subject. What exactly should you be teaching them?

  • Stay Alert at Night
    Since many attacks occur after-hours, remind them to be vigilant at their house. Their network is less secure (hopefully) than the network at your business.
  • Show Them the Stats
    Show them some real life examples of social engineering tactics. Again, refer to our guide to 23 forms of social engineering attacks or find recent news stories on the topic.
  • Show Them the Money!
    Many users don’t understand the financial impact of a data breach. There are tons of reports that highlight this. Here’s a baseline from the Ponemon Institute: The average per record cost of a data breach is $170, and thousands of records are lost in most attacks.

Context is just as important as examples. By making the user aware of the types of the tactics and the potential cost to the business, you’re sure to get their attention and keep that phishing click rate low!

phishing click rates

3. Release the Results

After your penetration test, tell your company the results. Compare that to previous tests. Inform them of the expected impact of their actions. Tell them a goal for next time, and if they obtain it, reward them with something. Maybe it’s as simple as a catered lunch. Get management to buy-in and offer a half day for everyone in the company who misses the test.

If they balk, remind them of the cost of a phishing attack and compare that to the loss productivity on a Friday afternoon sometime. Also, you can make the goal very difficult to obtain to appease them. For instance, if less than 1% of users take the bait, then they get their reward.

One Final Note on Decreasing Your Phishing Click Rate

These 3 tips are great, but they all require upper management buy-in at some level. If upper management falls for the phishing test, make sure they get the same education as the rest of the users. If you can get upper management to show support for your phishing tests verbally or through an email, you’ll create even more attention.


Get our free Penetration Testing course delivered straight to your inbox! You’ll learn these tactics:

  • Social engineering
  • Port scanning
  • SQL injecting
  • Anti-virus evading
  • Client side attacking

Learning these pen testing tactics will help you find gaps and lock down your network to keep your it safe from internal and external threats.

Related Posts

Related Topics & Tags: Online Security

About Curtis Peterson

I'm the Digital Marketing Manager for SmartFile who loves content, email marketing and web analytics. As a child, I built awesome websites with animated starry night backgrounds and multi-colored font headers on AngelFire and GeoCities.

Leave a Reply

Your email address will not be published. Required fields are marked *