Report: 33% of Flagged Work E-Mails Are Phishing Attempts

According to a recent report by security firm F-Secure, a third of suspicious e-mails that were flagged by employees ended up containing malicious phishing attempts. 

The analysis comes from organizations across the globe in the first half of 2021 using the security firm's Office 365 e-mail reporting plug-in. More than 200,000 e-mails were tabulated for the analysis. What the firm found was that their automation plug-in determined that 33 percent of those e-mails were malicious or suspicious, and employed known phishing techniques.

Phishing attacks try to get an end user to perform a specific act -- whether that's providing private information or installing malicious programs, sometimes hidden as e-mail attachments.

Breaking down the data even further, F-Secure found:

  • 59 percent of e-mails reported by employees were due to suspicious links
  • 54 percent came from suspicious or unknown senders
  • 37 were reported as spam
  • 34 percent were suspected of containing social engineering
  • 7 percent contained a suspicious attachment

It's important to note that multiple reasons can be selected by end users when reporting an e-mail. 

As for the most commonly used phrases in phishing attempts, F-Secure's analysis found that "click here" was found in the highest amount of malicious e-mails, with "Login" and "Payment" coming in at No. 2 and No. 3, respectively.

F-Secure points out that when employees have an easy way to flag potentially dangerous e-mails, it helps to keep the entire organization safer. "You often hear that people are security's weak link. That's very cynical and doesn't consider the benefits of using a company's workforce as a first line of defense," said F-Secure Director of Consulting Riaan Naude. "Employees can catch a significant number of threats hitting their inbox if they can follow a painless reporting process that produces tangible results."

Automating the reporting process is just one piece in an enterprise's comprehensive security efforts in curbing the threats posed by phishing attacks. Employee training in what to look for is another piece.   

The recent 2021 Phishing By Industry Benchmarking Report by security firm KnowBe4 (hosted on found that the average success rate -- as in, employees engaging with a phishing attempt -- for all industries sits at 31.4 percent.

However, after 90 days of comprehensive training, which included ways to spot malicious e-mails and internal phishing tests, the success rate dropped to 16.4 percent. Extended to a full year of training, the attack success rate shrunk to just 4.8 percent, proving that the best countermeasure technology comes from those on the front line.

"The idea that technology can prevent all cyber-related incidents has never been further from the truth because cybercriminals know the easiest way in is through your humans," reads the report. "Security leaders must understand that there is no such thing as a perfect, fool-proof, impenetrable secure environment."

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube