Open Season: Examining Employee Engagement with Email Attacks

Employee inboxes represent the front door of every organization, making them a highly attractive target for threat actors. The easiest way for cybercriminals to enter that door? By tricking the humans who own the accounts into letting them in.

This is why, rather than focusing on technical vulnerabilities, today’s attackers are employing advanced social engineering techniques and leveraging psychological manipulation to convince employees to share sensitive data and provide login credentials.

Unfortunately, the data reveals that these attempts are often successful, with the median open rate for attacks being 37%. This makes defending against these threats challenging enough, but due to worryingly low reporting rates, even if one employee doesn’t engage with an attack, the bad actor still has a high probability of finding success with another member of your workforce.

If your organization’s measurement of attack volume is based solely on employee reports, there's concerning data to consider: on average, only 3.2% of all known attacks are actually reported to the SOC team.

During the latter half of 2023, the average weekly number of attacks per 1,000 mailboxes was 140. That means in a mid-market enterprise with 1,500-2,000 employees, every workday there are 40 or more attacks not reported to the security team. For larger organizations, that number can be significantly higher.

In addition to alarmingly low attack reporting rates, many of the messages reported to security teams aren’t even malicious. An average of 62% of messages submitted to phishing mailboxes are either safe emails or graymail. Consequently, your security team is spending almost two-thirds of their time investigating harmless emails, while those that legitimately pose a threat to the enterprise remain in employee inboxes.

There are a variety of reasons why an employee may choose not to report a potential attack:

• Lack of Awareness: The employee might not realize the importance of reporting the email and believe that one unreported email won't make a significant difference.
• Attitude of “No Harm, No Foul”: Some employees may believe that as long as they don’t engage with the attacker, they have fulfilled their obligation to the organization. In short, since they didn't respond to the email, there's no harm done and no need to report it.
• Fear of Being Wrong: An employee may feel that they are not equipped to tell the difference between a safe email and an attack, and rather than submitting a report just in case, they decide not to—either out of fear of embarrassment or because they don’t want to create needless work for the security team.
• Assumption That IT Is Already Aware: The employee may assume that they aren’t the only target of an attack and thus don’t need to report the email because the organization's security systems or other employees have already detected and reported the threat.
• Unfamiliarity with Process or Perception of Inconvenience: An employee might not know how to report the email or feel that reporting is a cumbersome process that involves too many steps or takes up too much time.

Employees need to understand that deleting a malicious email without reporting it can be almost as damaging as engaging with it since it eliminates the opportunity for the security team to warn other employees about the attack. While they may immediately recognize an email as a phishing attack or attempted invoice fraud, one of their colleagues may perceive the message as legitimate, putting the organization at considerable risk.

Every new hire should be taught how to report a suspicious email as part of their onboarding. Additionally, cybersecurity awareness training should emphasize that it’s every employee’s responsibility to report any and all potential email threats. When the consequences of a successful attack can be so costly, creating an environment where employees are not only well educated on the risks but also err on the side of “better safe than sorry” can be crucial.

Note: This data was collected from the email environments of organizations that had implemented Abnormal Inbound Email Security in passive, read-only mode. This means the Abnormal platform was integrated with the organization’s mail client but not actively blocking attacks.

Though email threats are industry-agnostic and every employee has the potential to inadvertently engage with a malicious email, certain verticals are much more likely to interact with an attacker. For example, we observed a 41.4% engagement rate among professional services providers and employees at healthcare organizations.

Professional service providers such as lawyers, accountants, and business consultants typically receive a large volume of emails daily, which increases the chance of mistakenly engaging with a malicious message. Their work also often involves time-sensitive matters, meaning emails that appear urgent or important are more likely to be opened without a thorough review. Additionally, despite their expertise in their respective fields, many of these professionals may not be adequately trained in recognizing the tactics of cybercriminals.

Employees at healthcare organizations are also at a greater risk of engaging with attacks. Healthcare professionals often work in high-pressure situations with tight schedules and heavy workloads, which can lead to less scrutiny of emails and an increased likelihood of opening malicious messages. There is also a high rate of turnover in larger healthcare organizations and hospital systems, so employees are less likely to know their colleagues personally, making impersonation easier.

Just behind the professional services and healthcare industries was the finance industry, with an attack engagement rate of 38.1%. Similar to professional service providers, employees in the finance industry often receive a large volume of emails, which can make it easier for attack attempts to slip through the cracks. Finance professionals also often deal with time-sensitive matters, which can make them more susceptible to phishing emails that create a sense of urgency—e.g., urgent wire transfer requests, account lockouts, etc.

Modern threat actors know how to “hack the human” and are continually developing new strategies for manipulating employees into giving them the information they need to compromise your enterprise. Thus, the only way an organization can avoid the consequences of a successful attack is by ensuring employees never have the opportunity to engage.

Abnormal’s AI-native, API-based email security solution utilizes behavioral data to understand the behavior, communications, and processes of every employee and vendor across your entire organization. Then, it uses computer vision and natural language processing (NLP) to examine email content and identify anomalous activity, enabling it to detect and block threats—before they reach employee inboxes.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.