17% of over 4,500 employees clicked on phishing links during two-week exercise

(Photo credit: Channel News Asia)

Source: Channel News Asia

About 17 per cent of over 4,500 employees clicked on phishing links in emails sent to them during a two-week exercise that was part of Exercise SG Ready, a nationwide Total Defence campaign.

Jointly led by Nexus, the Ministry of Defence (MINDEF) and the Singapore Business Federation (SBF), the exercise involved about 200 businesses, of which over 80 per cent were small- and medium-sized enterprises (SMEs).

Nexus is an agency under MINDEF that is responsible for Total Defence and national education.

From Feb 15 to Feb 28, phishing emails of various nature, including account and security alerts and internal communications, were sent to more than 4,500 employees across five business sectors: Retail, industrial, consulting and services, environmental-related, and healthcare and medical.

"The exercise tracked recipient responses such as the number who opened the phishing emails, the number who clicked through the phishing links and the number of phishing emails reported," Nexus and SBF said in a joint statement on Monday (Mar 17).

An example of the phising email template. (Image: Nexus, MINDEF, SBF)

KEY FINDINGS

The findings from the exercise emphasise the need for organisations to review their cybersecurity response plans and readiness plans, as well as to identify and mitigate inherent risks, Nexus and SBF said.

The report found that over 30 per cent of the phishing emails were opened.

About 17 per cent of the recipients clicked on the phishing link. This was about 8 percentage points higher than the average global phishing rate, according to cybersecurity company Proofpoint’s 2024 State of the Phish Report.

This suggests that "a significant number of employees may be susceptible to real-world phishing attacks", NEXUS and SBF said.

About 5 per cent of employees reported the phishing emails, as compared with the global industry reporting rate of 18 per cent. This underscored the need for enhanced security awareness and reporting protocols, said Nexus and SBF.

Large companies and SMEs are equally susceptible to phishing attacks, given that the click rates for both were closely tied.

"Among the different types of phishing emails sent, those on internal communications garnered the highest click rate, suggesting that employees generally were less guarded about the authenticity of emails claiming to originate from within the organisation," added Nexus and SBF.

MORE CYBERSECURITY AWARENESS

Mr Kok Ping Soon, the chief executive of SBF, said:

"Cybersecurity is a major concern for businesses due to the increasing frequency and sophistication of cyberattacks, which can result in financial losses, reputation damage and legal liabilities."

The exercise findings indicate that more can be done to increase the security awareness of employees, particularly those working in SMEs, he added.

"We urge all businesses to prioritise security training, practise cyber hygiene and encourage a culture of vigilance among employees," he said.

Senior Lieutenant Colonel Psalm Lew, director of community engagement at Nexus, said: "We are encouraged by the strong participation by businesses in this first run of the coordinated phishing exercise. 

"The results underscore the importance of agencies, businesses, and communities coming together to work on a whole-of-society response to security threats through Total Defence."

Nexus, MINDEF and SBF said that they will continue to work with local businesses and increase their readiness for disruptions.

These efforts will include offering ongoing training and conducting follow-up exercises to reinforce best practices.

"SBF is working with public and private sector partners to introduce a comprehensive suite of cybersecurity initiatives to help businesses put in place good cybersecurity practices and measures that are commensurate with their cybersecurity risk profile," it said.

Aligned with the requirements of the Cyber Essentials Framework, these include programmes to help businesses understand what they need to do to mitigate the impact of a breach and actionable suggestions on how to address identified security vulnerabilities.