A recent report by cybersecurity awareness platform Hoxhunt has revealed the top countries with organizations that have performed best against simulated phishing attacks. The study, titled Behavioral Cybersecurity Statistics 2022, is based on analyses of interactions spanning 1.6 million people across 24.7 million simulations in over 100 countries.
The top-performing countries in the study are:
In contrast, the following are the bottom-performing countries:
Users from these countries were subjected to simulated phishing attacks as part of their security awareness training. The reactions to these simulated attacks were observed and classified according to the following:
- “Success” is when the user successfully reports a simulated phishing attack.
- “Failure” is when the user clicks on a simulated malicious link or downloads a simulated malicious attachment.
- “Miss” is when the user neither clicks nor reports a simulated phishing attack.
Ideally, organizations should have high success rates and low failure and miss rates to indicate workers’ high cybersecurity awareness. High success rates and low failure rates correspond to users’ ability to spot fake messages in a phishing attack and act accordingly. Miss rates relate to how active users are in reporting messages.
Based on the results, European locales appear to have performed the best among the participating countries, displaying high success rates and low failure rates.
The United States was in the middle of the pack with a success rate of 55.6%, a failure rate of 5.5% and a miss rate of 38.9%. The United Kingdom (success 60.8%, failure 5.1% and miss 34.1%) and Canada (success 61.6%, failure 4.8% and miss 33.5%) likewise performed relatively well.
Phishing as a rampant threat
Phishing continues to be among the most common types of cyberattacks that organizations and internet users in general encounter today. Essentially a form of social engineering attack designed to exploit human vulnerability, phishing messages trick users by pretending to be from legitimate sources. The intent is to have targets leak sensitive information or install malware.
In the enterprise setting, fighting phishing attacks is particularly important since falling victim to one can expose companies to significant risks. By getting access to data or networks, hackers can then perform other cyberattacks and fraudulent activities.
According to the FBI’s Internet Crime Report, recent business email compromise (BEC) and ransomware attacks have been surging. In a BEC scam, a malicious actor may even convince a target to send him money by pretending to be an authority within the same organization. The FBI received almost 20,000 BEC complaints that amounted to nearly $2.4 billion in losses in 2021.
Phishing attachments can also contain ransomware. Once installed on a computer, ransomware can lock an organization out of its files by encrypting them. Companies are then forced to pay ransom, typically in cryptocurrencies, in order to regain access to their files. As indicated in the same FBI report, over $49.2 million was lost to ransomware attacks in the US last year.
Geography plays a part
While developed countries like the US continue to be the prime target for cyberattacks, other territories are seeing a spike in attacks too. Phishing is a global phenomenon, so organizations must actively track the phishing trends in their own regions.
Just this year, several banks in South Africa have been targeted by phishing attacks. Bank clients have been receiving emails requesting them to validate their details. Links in these fake emails point to fake sites that are designed to resemble the banks’ official web portals, thereby stealing sensitive information like login credentials.
Surges in phishing attacks have also been noted in African countries such as Kenya and Nigeria. Nearly 11 million attacks in Africa were recorded in Q2 of 2022 alone.
With these trends in mind, organizations can assess their risk by weighing the gravity of attack trends against their workers’ current cybersecurity awareness levels. For instance, South Africa ranks fourth in the highest failure rates in simulated attacks, indicating a need to increase workers’ phishing identification skills. Having workers with poor security skills puts organizations at a greater disadvantage considering the heightened phishing attacks in the region.
The positive performance of many European countries in attack simulations can also be explained by recent history. It makes logical sense that members of the European Union (EU), in particular, might have heightened sensitivities towards cybersecurity and privacy.
The General Data Protection Regulation (GDPR), which was put in effect in 2018, prompted European companies and organizations to invest in cybersecurity measures as part of their compliance to data privacy policies. In the UK alone, the cybersecurity sector has grown by 46 percent since 2017, driven largely by the rollout of the GDPR.
Changing behaviors is key
While some regions may be experiencing a surge in phishing attacks, it is crucial to note that phishing is a global threat. All organizations and users that are connected to the internet will be exposed one way or another to some form of risk regardless of location. Since phishing attacks are designed to exploit human weaknesses, organizations must take a cue from these top performing countries and start strengthening their workers’ cybersecurity skills.
Organizations that have multinational presence in countries that performed poorly should also look into increasing their cybersecurity investments and efforts. However, ranking high in cybersecurity awareness should not make companies complacent, either. Even the top performing countries still report misses or failures against simulated attacks. When it comes to real-world threats, it only takes one failure to expose the entire organization to an actual cyberattack.
Effective cyber awareness training should transcend locations, cultures, and circumstances. Encouraging and fostering the right mindset and behaviors will go a long way in minimizing the risk of cyberattacks.