Ready to Start Your Career?

Data Analysis Surprise: Least Expected Organization Groups Fall Victim to Phishing Attacks

Bora Aytun Keepnet Labs's profile image

By: Bora Aytun Keepnet Labs

May 29, 2018

2017 was a record year for security incidents and data breaches. Phishing has become a huge threat to businesses and consumers worldwide,1 and the number of recorded phishing attacks continues to grow exponentially. It is predicted that by 2020, phishing will be the number one cyber threat to your organization.2The above is common knowledge and is no doubt very well understood by all IT professionals. These statements, however, are generalized, conjuring a sense of impending doom while providing next to no information on the specifics.Today's successful businesses utilize granular tracking and data analysis for all their activities. Cyber threats are no exception. The objective is to discover useful and actionable information that will aid in decision making processes. Then the next step is to predict cyber threat trends and their effects on employee behavior by evaluating, interpreting, and analyzing existing data in meaningful ways.In this context, Keepnet Labs conducted a study analyzing data from over 126,000 examples of sanctioned phishing tests in 2017 from Keepnet Labs customers around the world. Our goal was to understand which types of employees are most susceptible to phishing attacks. As with many other data-driven analyses, the results are spectacularly contradictory to the intuitive expectations, and they are surprising.


Data Sets

  • 128 companies
  • 126K phishing emails sent


Using the Keepnet Labs Phishing Simulator module, each employee who received a phishing email was tracked and placed into 3 groups:
  • Group 1: Employees who opened the malicious emails
  • Group 2: Employees who clicked the links and a malicious attachment in the emails
  • Group 3: Employees who entered and submitted their information to the fake website

Sorting the Employees into "Failure Profiles"

Group 1

Group 2

Some employees fell under more than one group:

Groups 1 and 2

Groups 2 and 3

Groups 1, 2, and 3


The study then looked at the correlation between business departments and failure profiles:


When results are filtered by business departments such as sales, marketing, IT, and R&D, we can see variations in employee behavior.Viewing the data by failure profiles, as well as by business departments, reveals that the proverbial champions of email security are the worst offenders.The likeliest victims were employees in the research and development, management, and legal departments.

22.5% shared information

Research & Development took the top position by leading in both of the most dangerous categories:

17.5% opened attachments

Legal snags the coveted "highest percentage in any group" accolade and stays "competitive" with second place in another group:

51.5% opened the emails

33.3% clicked on links

Other Striking Findings:

  • Marketing department employees were the most cyber-aware.
  • 30% or more of all types of employees opened malicious emails.
  • Excluding the employees in marketing, over 23% of all employees clicked on links in malicious emails.
  • By unsuspectingly giving away highly sensitive information 22% of the time on average, and opening 14% of malware attachments on average, R&D and quality control employees helped attackers circumvent their organizations’ technological defenses once in every five email-borne attacks.

Who should not have appeared in these charts at all?

You may agree that non-technical employees such as upper management often see the IT department as the last line of defense, as it is populated by overly-protective, always-paranoid technicians. The expectation is that they are well aware of the risks and know what to do concerning cyber security. Finding that IT personnel opened 48.4% of malicious emails and that 28.9% of them clicked on a link in those emails is surprising, unnerving, and dismaying to the rest of us ordinary folk, let alone management.


Results from over 126,000 individual emails, evaluated in sanctioned phishing tests in 2017 from Keepnet Labs customers around the world, revealed that 48.2% of phishing messages were opened by employees. Moreover, 31.5% of employees clicked the malicious attachment or link, and 7.9% submitted their credentials to the fake web site.The types of employees who failed to notice threats included key personnel who must understand the nature of the danger to security and how to avoid these threats. They are expected to be more attentive and vigilant concerning cyber security. It is an unpleasant surprise that IT personnel appear in groups that suggest the most destructive breaches in security.Creating cyber security awareness and helping change employee behavior is vital. Skill development exercises, such as those with the Keepnet Labs Phishing Simulator, and tools that invite employee engagement in cyber defenses, such as Keepnet Labs Incident Responder, are essential for establishing and maintaining employee awareness, buy-in, and commitment to preventing cyber attacks.As a Cybrary member, you get up to 500 trial licenses to utilize the resources of Keepnet Labs!Gain access to our most popular modules: Email Threat Simulator, Incident Responder, Phishing Simulator, and Awareness Educator.Discover and prevent your organization's human and technology vulnerabilities.Visit
Schedule Demo