One in four employees fall into the phishing trap

When we work with a company or organisation to launch a simulated phishing campaign, we prepare very well together with the IT department.

We design an email with content that looks trustworthy, so it’s not easy to recognise that it’s a fake phishing email – unless you know what to look for.

At an agreed upon time, we press the SEND button – and the simulated phishing attack begins, sending out hundreds or thousands of emails to employees in the organisation.

Over the following hours and days, we document how easy or difficult it will be for skilled cybercriminals to lure those employees into clicking dangerous links, opening virus-infected files or even revealing their personal username and password.

The results are disturbing. It turns out that one in four employees fall into the phishing trap.

The report’s findings
Our phishing tool documents that 25% of employees fall into the phishing trap and click on a link they shouldn’t have clicked, while 18% go ahead and enter their confidential passwords on a webpage. These are average figures.

Fortunately, there are also employees who immediately recognise that phishing emails are circulating. Some of them react by immediately contacting the IT department to report that something is wrong. Both the IT department and the Service Desk have a busy day as the simulated phishing campaign unfolds.

Hackers love emails
9 out of 10 hacker attacks start with a phishing email! And one study shows that hackers send out over 156 million phishing emails every day.

Another study shows that every minute, 116,000 kroner is stolen with phishing emails.

So it’s clear that hackers are very fond of emails – and that we should be very careful what we click on.

Source: bl.a. Computerworld

Three tips to spot a phishing email

Check the URL: Does it look right? Hover your mouse over the URL so you can see which URL it points to. Check if it looks right and if necessary, check it by finding the URL in another way. A phishing email will often have an extra letter in the URL or a different domain extension (for example, .net instead of .dk).

Check the sender: Check for errors in the email address and if in doubt, contact the person listed as the sender to see if they have sent you an email. It’s important that you get the person’s real email address, phone number or contact details from elsewhere.

Check content: You may be asked to provide personal or sensitive information – don’t do this.

COMPETITION: Win a phishing campaign
Get ready – in the next newsletter we’re launching a competition where an organisation or company can win a phishing campaign for internal use within the organisation.

A little more fun awareness training
Humour Against Hacking is a simple and easy to understand awareness campaign with many e-learning courses, nudging materials, phishing campaigns, LMS and more.

Everything can be customised to the individual organisation with the ability to get started quickly.

Contact us if you want a demo in our awareness universe.

Contact us
Contact us at for an informal chat – and let us show you our material and tell you why it works 🙂

Best regards,

Kelsa Media ApS |
Tel: +45 2261 0041
CVR: 41453249

Contact ‘Humour against hacking’

Kelsa Media’s Privacy policy

Copyright © 2020 Kelsa Media, All rights reserved.

The above newsletter was published on 27 October 2020

If you would like to sign up for the Kelsa Media newsletter, you can do so here