Phishing Simulation Exercises Valuable: Official Study

by | Dec 24, 2015

The Office for Civil Rights recently release its first financial penalty to an organization that experienced a data violation after its staff responded to a phishing campaign.

The case lead to The University of Washington Medicine agreeing to a $750,000 fine to settle possible HIPAA violations. UWM had already had to cover large data breach resolution costs after experiencing a 90,000-record violation. The fine and data breach costs could have been avoided if staff members had been trained how to identify phishing emails.

The healthcare industry is now being focused on by cybercriminals, and phishing is the most commonly used way to gain access to patient data. Even when multi-million-dollar security defenses are utilized to keep networks secure, a single response to a phishing email can be all needed to compromise the records of hundreds of thousands of medical records. In the example of Anthem Inc., a sophisticated phishing campaign lead to the theft of 78.8 million subscriber records. Premera BlueCross also reportedly experienced its 11-million record data breach due to employees responding to phishing emails, and in 2014 the 4.5 million-record Community Health Systems data breach was also caused due to members of staff responding to phishing emails.

Phishme, a supplier of human-phishing defense solutions, recently released the results of an anti-phishing study carried out on 400 companies globally. The company has now broadcast over 8 million phishing emails as part of its phishing simulation exercises. Overall, 3.5 million enterprise employees from 23 countries around the world have had their phishing identification talents put to the test using the company’s phishing simulation exercises.

The 2015 Enterprise Phishing Susceptibility Report points to the benefit of conducting phishing simulation exercises on staff members. When it comes to phishing email identification, it would appear that practice leads to success. Employees can perfect their scam email identification skills with training, which will lessen the probability of them responding to a real phishing email.

Cyberattacks are carried out using a range of techniques, but the most common attack vector is phishing. The method is also hugely successful. Research shows that approximately 20% of phishing emails lead to a user falling for the scam.

When hackers formulate campaigns to appear as office correspondence, they are more likely to lead to the emails being opened and action being taken. There was a 22% click through rate from office-communication phishing emails according to the report.

Phishme data show that a staff member who responds to one phishing campaign is likely to fall for asubsequent campaigns. 67% of individuals who answered  a phishing email were repeat offenders. If individuals are  not aware of the telltale signs that an email or website is malicious, they will keep on making the same mistakes.

However, after participating in phishing simulation exercises, the chances of them falling for a phishing campaign rapidly falls. In fact, after four phishing simulation emails their likelihood to respond a fifth time falls by 97.14% on average.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy