By now, almost everyone you know has clicked on a bad link or answered a suspicious text at some point in their life, even if they didn't fully fall for the scam by entering their password or downloading ransomware. How can we better understand why phishing is such an effective crime? Why do some people complete the scammer's fake "sales funnel" and hand over their digital crown jewels? How can we help people reject the bait?

The annual Gone Phishing Tournament (GPT) was created by Fortra’s Terranova Security service and Microsoft to answer these questions. Last year's tournament, conducted in October of 2023, set records and revealed some hard truths about phishing in the 2020s.
 

What is the Gone Phishing Tournament?

GPT is a free annual phishing simulation training event that is designed to help organizations and security leaders better understand their high-risk areas. By providing phishing benchmarking data from the event’s findings, organizations can learn about their vulnerabilities, compare performance, and establish realistic objectives for behavioral change.

GPT focuses on a single, realistic phishing threat. The 2023 simulation targeted employees with a fake password expiration notification—an increasingly common cyber tactic. The phishing email allowed recipients to keep their existing passwords, contrary to cybersecurity best practices, preying on our inclination to avoid the inconvenience of resetting passwords.

If the recipient clicked the password link, they were sent to a landing page to ask for their credentials. If their credentials were submitted, they were notified that they were part of the Gone Phishing Tournament and that they would have been phished if this were not a simulation.

Nearly 300 organizations participated in the 2023 event, making it one of the largest phishing simulation events of its kind. Over 1.37 million people received the phishing email, and these messages were sent in 31 languages.

Results and revelations

The recent GPT revealed a concerning trend: despite heightened awareness, organizations remain susceptible to phishing attacks. Just over 10% of employees clicked on the phishing link, a small increase from 2022. 

Even more alarming was the large ratio of link clickers to password submitters. Of people who clicked the phishing link, 6 out of 10 divulged their credentials. 

While the results show why phishing remains such a persistent problem, all of us can work to help each other say no to phishing.

Takeaways for person-first security

The results of the 2023 GPT underscore the limitations of technical safeguards alone. While essential, firewalls and email security measures cannot guarantee cybersecurity, especially at the enterprise level. We must develop the knowledge and reflexes necessary to consistently detect and report phishing threats. There are a few takeaways we learned through this experience. 

1. We all have bad days: Even the most security-aware individuals can miss phishing red flags if scanning messages quickly. The takeaway is clear—take the time to read and react to every incoming email appropriately.

2. Choose dynamic security training: Today's security awareness training platforms should continually update content and release new modules reflecting evolving cybercrime trends.

3. Simulations can be stimulating: A baseline simulation is a great way to understand your organization's knowledge level regarding phishing threats.

4. Communication is critical: Use communication tools to promote the training program, emphasizing its importance in safeguarding sensitive information.

5. Gamification is your friend: Think about employing gamification techniques to keep participants engaged with training initiatives, making learning more interactive and enjoyable.

The results of the 2023 GPT show that cybersecurity is a shared responsibility. There's no reason to despair because we can work together to make the internet safer. Collectively, we can build resilient defenses against phishing attacks and prepare people for social engineering. Download a copy of the report here and come to our webinar with Fortra to learn more!