There has been a sharp increase in cybercrime in recent years. Phishing is one of the most common forms of this and is often the beginning of other cyber attacks. SMEs are a vulnerable group and are often victims of cybercrime. Over a quarter of SME employees have received a phishing email at work in the past year.
SMEs do not always yet have a sense of urgency and the right knowledge and skills to be resilient against cybercrime. Also, SMEs are often part of larger supply chains, so one vulnerable company can impact an entire chain of companies.
At the request of the Digital Trust Center (DTC) and the North Holland Regional Platform for Crime Control (RPC NH), the SME Phishing Test was set up to gain insight into the vulnerability of SMEs to phishing and to see how the cyber resilience of SMEs can be increased. A large-scale field experiment was used to investigate whether a phishing test is an effective method to increase the cyber resilience of SMEs and how long this possible effect lasts.
A total of 33,016 employees working at 667 companies participated in the experiment. From May through October 2021, they each received two different (imitation) phishing emails. The (imitation) phishing email contained characteristics of a "real" phishing email, encouraging the employee to click on the link in the email.
Once the employees clicked on the link in the phishing email, they landed on a page with information about what they could have recognized the phishing email by. Of course, clicking on the link in this study had no consequences. Using questionnaires, characteristics of the participating companies and employees were asked to investigate whether these characteristics were associated with clicking on the phishing email.
The research report prepared by the Behavioural Insights Team of the Ministry of Economic Affairs and Climate contains the following conclusions:
SMEs are vulnerable to phishing. More than 1 in 5 employees (22%) click on a link in a generic phishing email. In addition, employees who indicated that they had not received any phishing emails in the past 12 months were on average more likely to click on the link than those who had received one or more phishing emails.
There is evidence of a short-term effect of a phishing test, but not a medium- or long-term effect. A regression analysis showed that employees who had received a phishing email about a month earlier were significantly less likely to click on a second phishing email than those who had not previously received a phishing email. There was no significant effect of a phishing test in the medium term (about 2.5 months) and long term (about 3.5 months).
Risk-seeking employees benefit the most from a phishing test. Risk preference was also found to have a positive correlation with one of the significant predictors of clicking on a phishing email. Thus, employees who report being more risk-seeking seem to benefit more from the short-term experience of a phishing test than employees who are more risk-averse.
The SME Phishing Test was able to contribute to the sense of urgency by feeding the results back to the company in a company report, along with tips on how to make the company more resilient to phishing attacks. In addition, with their participation, employees gained knowledge and experiences and feedback on recognizing phishing emails.
With these results in mind, the DTC is going to launch an awareness campaign around phishing. This campaign encourages business owners to find out if they can recognize, prevent and combat phishing. They will be given tools and information to choose secure email settings and take other necessary steps.
