Phished homepage computer screen
16 April 2021 / Elaboration

From 50% phished to 5%: how Phished works and why

Any company that starts with the Phished platform often scores ‘high’ on the initial baseline measurement – up to 50% success rate. After one year, Phished manages to reduce this to less than 5%. How do we do that and why is it so efficient?


Those who never come into contact with the risks of digital life will hardly recognise threats when they come face to face with them. In concrete terms: those who never come into contact with phishing attacks, will not be able to recognise them nor deal with them in the right way. Every baseline measurement that Phished carries out, confirms this.

Mind you: these are well worked-out phishing cases, where the attacker has done his homework thoroughly. So we are not talking about the common and transparent emails about sex dates, viagra or prizes won. The African royal houses that want to hand out money are also left out of the equation.

Hacker hacked klein computer

Between 20% and 50%

A well-crafted phishing message responds to the daily reality of its recipient. This means that even very general “mass emails” can be very convincing. For example, it is very easy to reach thousands of recipients at once with an e-mail that seems to come from a parcel delivery service. The only thing a hacker needs to do is to format the message nicely – as identical as possible to the original – and to insert a placeholder that automatically fills in the correct first or last name for each recipient.

A message from a parcel service nowadays is part of almost everyone’s world. Although they are fairly generic, Phished manages to fool 20% of all recipients with such messages.

With spear phishing, Phished invariably lures at least 35% of all recipients into a trap at baseline measurement, and often this figure goes as high as 50%.

Spear phishing relies even more on recognisability and, above all, authority. Mass emails are often more personalised than people think, but with spear phishing this is even more the case. Here the attacker looks for as much personal information as possible that can be included in the phishing attempt. Social media, Google results, etc. are used for this.

In the case of spear phishing, a hacker will often impersonate a colleague or manager. We are programmed to help our employees as much as possible: their success is ours too. If such a message looks convincing because it may contain a reference to our last holiday trip, we are very quickly convinced that it is a genuine message and will want to help immediately. With this type of phishing, Phished invariably lures at least 35% of all recipients into a trap at baseline measurement, and often this figure goes as high as 50%.

How do we reach 5%?

Research shows that even people who receive thorough cybersecurity or phishing training are just as susceptible after six months have passed as they were before. Even those who are tested once a month remain highly susceptible to hacks and data loss. Therefore it is important that people are tested several times a month to keep their knowledge active, relevant and up to date.

The results of the Phished platform clearly show that regular phishing simulations – and microlearning through the Phished Academy – reduce the number of successful phishing attacks to less than 5% within a year. Through regular contact with different types of cyberattacks, within a safe and controlled environment, employees gain experience, learn correct reflexes and build up the necessary self-confidence to properly deal with (possible) dangers.

See for yourself

Our experience shows that companies always think they are better prepared than they really are. Request a demo and experience awareness training that works.