More than 90 percent of cyberattacks and resulting breaches in 2016 stemmed from a spear-phishing email, according to PhishMe's 2016 Enterprise Phishing Susceptibility and Resiliency report.

Not surprisingly, spear-phishing campaigns are up 55 percent from last year, with ransomware attacks increasing to a whopping 400 percent more than last year, the report found. And business email compromise losses are up 1,300 percent.

PhishMe analyzed data samples from more than 1,000 of its customers who sent over 40 million simulation emails from January 2015 through July 2016. Phishing simulations help organizations assess and train employees about online threats, by sending employees emails that mimic real threats.

PhishMe analyzed the data and found 'continued exposure to simulations lower the chance of an employee falling for a phishing email, PhishMe Co-Founder and CTO Aaron Higbee, said in a statement.

Further, employees conditioned to identify phishing attacks are more likely to report them to the IT team. In fact, reporting suspicious emails outweighs the amount of users falling for phishing campaigns, the report found.

And when at least 80 percent of the company is trained to identity these types of campaigns, users are more likely to report the email than click on it.

"The key is constant exposure," Higbee added.

Active reporting of phishing emails reduced the standard detection time to 1.2 hours, on average – a huge difference from the current industry average of 146 days.

The most effective phishing simulations were business- or office-related, the report found. However, they are also the most difficult for users to detect and then report.

Even more notable, those who engaged with suspicious emails did so due to curiosity, fear and urgency – or due to believing the email was an office communication, financially driven or a contract.

Mayo Clinic found similar results from its No Phishing Campaign, JoEllen Frain, Mayo's director of Behavioral Management in the Office of Information Security told HIMSS Privacy and Security Forum attendees on December 5.

"When you're trying to initiate a phishing program or reengineer a phishing program, you have to be clear with your objectives and encourage all end users to report suspicious email," Frain said. "If they're deleting (malicious emails), they're not giving us the intelligence."

"We know we're not going to be 100 percent perfect because there are humans involved," Frain said. "But if you build resiliency, you want to stay resilient. We can't stop it all, so we need to know how to react appropriately and trust your gut. It's phishing season all year round."

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn