Skip to main content

Did you know that just 3% of users are responsible for 92% of cyber security breaches? They fall prey to the “Phishermen” - the people carrying out email phishing attacks against your organisation every day.

In this post, we’ll explain what phishing is, provide some examples, and give organisations instructions on how to reduce their risk from phishing attacks. We’ll also delve into the survey by security firm Elevate which identified this statistic.

What is Phishing?

Phishing is a form of social engineering attack where a cybercriminal attempts to trick you into providing sensitive information by posing as a trustworthy entity. It derives from the idea of “fishing for information.”

Email phishing is a type of cyber attack where scammers send fraudulent emails to individuals or organisations with the goal of obtaining sensitive information. Phishing emails often appear to come from well-known brands, financial institutions, or government agencies and may request that you provide login credentials, financial information, or personal details. Phishing emails may also contain malicious links or attachments that can infect your device with malware.

Once the “Phishermen” have this information about you or your company, they ususally list it on auction sites on the dark web, where it may be sold over and over again to criminals who keep attacking you and stealing. You will be at risk until you change all your passwords and security details, making that information obsolete.

Examples of Email Phishing

Some common email phishing scams include:

  1. Emails that appear to be from a bank or financial institution requesting that you update your login credentials.
  2. Emails that appear to be from a well-known brand or online retailer offering a discount or promotion.
  3. Emails that appear to be from a government agency requesting personal information, demanding a payment.

Phishing emails used to contain deliberate grammatical errors or spelling mistakes. This was a way to filter out more attentive people, who would probably realise the instruction in the email was a scam before the crime of stealing data was complete: these people would ultimately turn out to be a waste of time for the scammer. Nowadays Phishermen are using artificial intelligence to make their attacks fully automated and harder to detect, so they don’t need this filtering out. This means obviously dodgy scam emails are becoming a thing of the past, and phishing emails can remarkably difficult to tell from the real thing.

Cyeneia Institute Email Phishing Report

The ‘The Size and Shape of Workforce Risk’ report, based on Elevate Security data provided to the Cyentia Institute, covered occurrences from January 2016 to December 2021. It included 15.1 million unique events connected with 168 thousand users dispersed across more than 3.8 thousand organisational departments.

The Email Phishing Report’s main findings

Only 3% of users are responsible for 92% of malware download incidents.

Although 94% of users never encounter malware, others do so on a weekly basis.

Just 3.9% of users are responsible for 80% of email phishing cases, with some of them clicking as frequently as twice a month.

This category includes the 1% of click-happy maniacs who click and cause a cyber security incident more than 52 times each year – that is, one a week.

13% of users are responsible for 71% of “secure surfing problems”, in other words clicking dangerous links online.

And here’s the one we find truly mind boggling…

The worst offenders, who are 1% of users, will cause 200 security breach incidents every week!!!

What is a dangerous user, and why are they dangerous for email phishing?

As you can see from the Cyenia Institute report, most incidents are caused by a small minority of users. These Dangerous Users create cyber security incidents frequently.

Just over half of users never receive phishing emails, but some users may just receive a lot more phishing emails than others – hundreds every year rather than just a handful. This does not inherently make them dangerous. Most users (75%) click on phishing emails less than 10% of the time when they are not blocked in the first place.

This makes it clear that the key to reducing your email phishing risk is tackling the mistakes that these users make.

How to Protect Your Organisation Against Email Phishing

We recommend the following measures as your first steps for any businesses or organisation to reduce the security risk posed by “dangerous individuals”.

Recognise high-risk email users

Begin monitoring to determine which users pose an unusually high danger. Determine who is causing the majority of security events and why. For example, a person may be an outsized target for attackers or someone who has slipped through the security restrictions, or both. Consider looking at a “click-happy user’s” browsing history as well. Begin monitoring, helping and training your hazardous users. This could be accomplished by establishing ‘guardrails’ and concentrated controls.

Educate your employees on email phishing

Train your employees to recognise phishing emails and what to do if they receive one. Encourage them to double-check the sender’s email address and verify the legitimacy of any requests for sensitive information.

Examine the efficacy of your anti-phishing email controls

These include how many phishing emails get past the filters. Make sure antivirus software is installed on every device, and ensure that the controls are not only in place but also working effectively for everyone.

Conduct regular security audits

Regularly review your organisation’s security policies and procedures to identify and address any potential vulnerabilities. This can help to prevent phishing attacks and other security breaches.

Use email filtering

Implement email filtering software that can automatically detect and block phishing emails. This can help to prevent phishing emails from reaching your employees’ inboxes.

Implement multi-factor authentication

Require employees to use multi-factor authentication when accessing sensitive information. This can help to prevent unauthorised access in the event that an employee falls for a phishing scam.

Keep software up to date

Ensure that all software, including email clients and web browsers, are up to date with the latest security patches. This can help to prevent vulnerabilities that could be exploited by phishing attacks.

Flywheel IT Services can Help Protect your Company from Email Phishing

What would you like us to do?

Managed cyber security service

Managed Cyber Security Service for Businesses – find out more

Managed Cyber Security Service for Schools – find out more

Staff phishing awareness training

We tailor courses to your organisation and also do simulated phishing tests to make sure your staff have learned!

Anti-phishing training?

Let’s get started!

About Flywheel IT Services

Flywheel IT Services has teams of highly qualified and experienced IT engineers and consultants around the UK. For over 24 years we have partnered with businesses, schools and major construction companies to provide IT services and to guide and support their IT projects, tech strategies and day-to-day operations.

In an average year


Businesses use Flywheel IT Services to fast-track their growth


Children's talents nurtured with the help of Flywheel IT Services


New schools built with sustainable ICT infrastructure designed by us