Fost Plus noticed a big decrease in phishing clicks only after a few months

Fost Plus coordinates and funds the selective collection, sorting, and recycling of household packaging waste.

“We’ve always been highly aware of the potential dangers online,” says Jeroen Van de Sande, IT Manager at Fost Plus. “We already invested considerable time and energy in raising cybersecurity awareness among our employees, but never through structured campaigns or training programs. Our efforts barely had an impact: we saw that employees were still inclined to click on dangerous links in emails or enter sensitive data.”

“Fortunately, we’ve never experienced a cyber incident,” Van de Sande continues, “but we prefer to address potential risks before one actually materializes. With the COVID-19 crisis, we saw the volume of phishing emails increase significantly. It was high time to take action.”

Phishing turned out to be a difficult problem to quantify for Fost Plus. The network administrators were aware of the growing number of attacks, but the results of a phishing test organized by Phished were unexpected: 49% of employees who opened the email fell for the simulation. A surprise for Fost Plus, but in fact a common outcome in targeted baseline simulations conducted by Phished.

“We were shocked by the result, even though it’s in line with other Phished campaigns,” says Van de Sande. “The campaigns are designed so skillfully that they prompt as many people as possible to click. That made us realize that this kind of training could be very useful within our organization.”

In the latest phishing test, the click rate had already dropped to 11%—a decline Van de Sande considers acceptable: “Seeing such a major decrease in just six months is very encouraging. The training is clearly having an impact. Our employees are now much more aware of potential cyber risks.”

The fact that 11% of employees still clicked on phishing links after six months has an explanation: Fost Plus takes a direct, no-compromise approach, presenting employees with the most challenging simulations—because hackers won’t go easy on them either.

“For example, we used simulations about ‘updates to COVID-19 measures,’” Van de Sande explains. “And we didn’t warn our employees before sending the first simulation. We wanted to make full use of the surprise effect. We got a lot of reactions to that. A few days later, we sent an email explaining our collaboration with Phished, but beyond that, we prefer not to draw too much attention to it. We want the next simulation to also be somewhat unexpected so we can measure responses as realistically as possible.”

Although Fost Plus has never been the victim of a data breach, many employees’ cybersecurity awareness was still underdeveloped. Thanks to regular, automated simulations, susceptibility to phishing dropped dramatically. Almost everyone in the organization quickly became convinced of the platform’s value.

Today, cybersecurity awareness is much stronger at Fost Plus, resulting in better instincts when users are faced with phishing or other threats, as well as increased use of the internal spam button—leading to a more streamlined operation for the IT service desk.