Advanced spam filters are a wonderful thing. Don’t get me wrong. But they aren’t enough to protect your organization from a phishing attack. If you’ve heard it once, then you’ve heard it a million times, it takes just one employee to click a malicious link or download an infected document to give your IT Support a headache or, much worse, cause a data breach.
According to The Radicati Group, a technology market research firm, 112.5 billion business emails are sent every day. There are approximately 1.08 billion corporate email accounts worldwide, meaning that each account is sent an estimated 104 emails each day1. According to research by Symantec, 53.2 percent of emails are spam2. Based on this, the average business email account is sent 55.3 spam emails every day.
Extrapolating further, if an organization has 5,000 employees they would receive an estimated 276,500 spam emails each day. Let’s assume this company has an email security gateway or anti-spam filter in place that its manufacturer claims will block 99 percent of spam. Assuming that’s the actual performance (that’s iffy, I know), 2,765 of those 276,500 spam emails will land in user inboxes unimpeded.
If 1.5 percent of spam emails contain malware (as research suggests2), that 5,000 employee organization would be exposed to an estimated 41 malicious emails every day. That’s more than 1,200 malicious emails every month that make it past spam filters and email security gateways to deliver ransomware, Trojans, and other malware into user inboxes. And that doesn’t even include phishing attacks that don’t deliver malware (like business email compromise scams).
Thankfully, not every employee (let’s hope!) will fall for a phishing email— but about one in five5 will. For this hypothetical 5,000 user company, that could translate to more than 240 cases per month where users open malicious links or files. That means there are eight incidents every day in which a user’s machine has a high chance of being compromised.
How can an organization decrease its chances of being the victim of a data breach? First, we need to take a look at what variables can be changed. The volume of email and spam is expected to continue to grow2, so unfortunately, we can’t make those numbers smaller. No email security tool will block 100 percent of malicious email.
That leaves us with our last and final defense against email-based threats – the employees. With a robust training program that simulates real-world phishing attacks and delivers high-impact training at the point of failure, employees can be successfully conditioned to recognize and report phishing threats. This can quickly, within a matter of months, drive down the number of users that fall victim to phishing while providing security teams a better way to detect the attacks that make it past their email security tools.
At PhishLabs, we eat, live, and breathe phishing. We take that real-world experience and apply it to a program that will condition your employees to recognize and report phishing attacks that slip past your spam filter. As a result, you'll have more employees reporting those attacks and less employees clicking on malicious links or attachments. Get in touch today to discuss how to minimize your company's vulnerability to spear phishing attacks.
View the accompanying infographic to this blog post.
1 The Radicati Group, Inc. "Email Statistics Report, 2015-2019." (2015)
6 Christina, V., S. Karpagavalli, and G. Suganya. "A Study on Email Spam Filtering Techniques." International Journal of Computer Applications IJCA 12.1 (2010): 7-9. Web.