Will Your Employees Open This Attachment? Results of Our Tests

A trap in morning coffee

Most incidents we handle at Conner Whitlock start on Tuesday between 8:42 and 9:15 AM. It's the moment when an employee opens the computer, drinks their first coffee, and wants to quickly 'clean' the mailbox of pending emails. In our tests from June 2024, as many as 19.3% of people clicked a link pretending to be a payment demand from PGE. They didn't check the sender's address because the amount of 147.20 PLN seemed low enough not to arouse suspicion, yet annoying enough that they wanted to check it quickly.

In one transport company from Mazovia, where we tested 84 people, the result was even worse. As many as 23 employees not only opened the attachment but also entered their login data on a fake Microsoft 365 page. It took them an average of 43 seconds from the moment of receiving the message. Hard facts on the table: haste combined with a lack of procedures is the shortest way to lose control of the company's bank account.

As many as 19.3% of people clicked a link pretending to be a payment demand because the amount seemed harmless.

The correcting invoice method

We check what works and what doesn't, so in August 2024 we tested a new scenario: 'Correcting invoice for telecommunications services'. It's a classic, but still frighteningly effective. Out of 312 emails sent, the PDF attachment (which was actually our tracker) was downloaded by 47 people. Interestingly, employees from accounting and HR departments were fooled most often. They are used to receiving dozens of documents a day and their vigilance naturally drops after the third hour of work.

We know the realities of Polish companies and know that no one has time for two-hour cybersecurity training that everyone sleeps through anyway. That's why during our audits we show specific examples from the Polish market. We don't talk about movie hackers, but about the real risk where an error by an admin lady can cost the company 114,000 PLN due to file lockout by ransomware. These are not theories, these are situations we had to save 14 times last year.

The psychology of fear and curiosity

Why does it even work? Hackers use simple triggers: fear of penalty or curiosity. In our test from July 2024, we sent an email titled 'New payroll - confidential'. Even though the sender was from outside the company domain, 14.7% of employees tried to open the Excel file. It's human nature. Without fluff – if you don't have mechanisms blocking such attempts at the server level, you rely solely on people's judgment, and that can be unreliable, especially before a vacation.

At Conner Whitlock, we don't believe in one-time talks. Effective protection of assets and data requires systematicity. After each test, we send a report that doesn't land in a drawer but serves to improve security in 14 days. We show who clicked, how fast, and what they were fooled by. (Heads-up: usually the same 3-4 people in a company generate 79.4% of the risk). Knowing this, you can focus on their additional security instead of tiring everyone with boring procedures.

Curiosity is sometimes stronger than procedures. Every seventh employee opened an email about the payroll.

How to realistically secure a company?

Human error cannot be eliminated to zero, but it can be made so it's not fatal in its consequences. The first step is implementing two-factor authentication (MFA) everywhere possible. Our data shows that MFA blocks 99.1% of unauthorized login attempts, even if an employee provides a password on a fake page. This is the absolute minimum every company in Poland should have implemented yesterday. If you don't have it, you're playing Russian roulette with your data.

The second step is regular social engineering tests. Not to punish employees, but to immunize them. An employee who 'falls' for our controlled test once becomes three times more vigilant to real threats for the next 11 months. This is the cheapest and most effective form of education. Instead of theorizing, we show them 'live' how easily they can be fooled. This stays in memory much longer than any e-learning certificate.

Your checklist for tomorrow

Start with simple things. Check if your employees know how to report a suspicious email. In 73% of companies we examined, people had no idea what to do once they already clicked something suspicious. Often, out of fear of punishment, they simply closed the laptop and hoped nothing would happen. This is the worst possible reaction. You must build a culture where reporting an error within 5 minutes of the fact is rewarded, not punished. Reaction time is crucial here – cutting off an infected computer from the network in 120 seconds can save the rest of your infrastructure.

We ended Q3 with a 97.3% success rate in detecting human gaps at our regular clients. This is the result of hard work and hard data. If you want to know what security looks like in your board and among your people, don't guess. Check it with us before someone who doesn't have good intentions does. Remember: cybersecurity is not a cost, it's an insurance policy for your peace of mind.