Financial Institution Goes from 39% Phish-Prone Rate to 2.17% in One Year Thanks to KnowBe4 Training

Nothing’s guaranteed except death and taxes.

AND email phishing attacks!

I’m serious. If you have email (and I know you do), then you are at risk of being attacked by a cybercriminal who is looking to steal your personal data. And this threat is not going away. As long as there are electronic in-boxes, there will be nefarious emails from criminals who simply need you to click on a bogus link in order to download wicked tentacles into your computer or network.

Law firms are particularly enticing to criminals because they store oodles of sensitive client data. Likewise, the financial industry constantly battles phishing attempts from crooks looking for customer data and financial information.

So, how do you fight the bad guys? You have to teach your employees not to click on bad emails. Luckily, there is a tool that you can easily use to achieve the following:

  • Phish your own firm with fake emails
  • Learn your phish-prone rate (the percentage of people who are inclined to click on phish bait)
  • Educate your employees through super-fast, enjoyable videos
  • Launch regular fake phishing campaigns to watch your phish-prone rate drop dramatically

What is the magical tool? KnowBe4 Security Awareness Training. But don’t take my word for it. Read the following case study about a financial institution that went from a whopping 39% phish-prone rate to 2.17% in one year. Now that company’s employees are its first line of defense… rather than its weakest link.

A KnowBe4 Case Study: An Anonymous Financial Institution

The Story: As Described by A Manager in the Financial Institution

We were aware of some of the cyber thefts occurring at medium-size businesses. However, the awareness of phishing and spear-phishing had been localized to the IT Dept and our Risk Management team. On a management level, we knew what could go wrong, but we did not have a company-wide awareness and we were not sure what we needed. We had basic security training in place as part of new employee onboarding and a yearly mandatory test. Employees could do a refresher course if needed, but we were limited to that.

Some of our clients are now starting to require Security Awareness Training for their vendors as part of their audit process. These requirements do not specify the granularity needed, so we were still faced with a lack of clarity on what we needed and which method would be most effective and fulfill audit requirements.

When we found KnowBe4, it was a perfect fit. We knew we had to have something that allowed us to do phishing tests on the staff, record training and results and be able to report on the results. KnowBe4 was able to do all this in an easy to use fashion, saving IT from having to do a lot of extra work. Our prior efforts would take a couple of weeks to do as a project and were nowhere near as fine-tuned as KnowBe4 allowed us to get.

Getting Started

Getting started was an easy process. We did a couple of calls and were walked through the process of importing addresses and setting up the way we wanted it, learning the reporting features and so forth.

Once we were set up, we decided to do a baseline Phishing Security Test to see how many of our staff were phish-prone. Our results showed phishing was a far bigger situation than I had envisioned. We ran the test and got a staggering 39% phish-prone percent.


Due to the high percentage of clicks off our initial testing, we made Kevin Mitnick Security Awareness Training mandatory for staff and included it as part of any new employee training. The managers are required to do the 40-minute version and staff are given the option of doing the 15-minute version or the 40-minute version. We also have a group we put through the training in a classroom setting with the documentation as some computers do not have sound options.

We are able to easily track who does the training and who completes it for compliance reporting.

Ongoing Phishing Tests

Once we did the training, subsequent phishing tests dropped to 0% phish-prone as staff were darn sure they were not going to fall for a phishing test. We then started to explore some of the templates and customizable options and decided to use these to be a bit more “crafty” in our attempts.

We got a few to respond and click but the general trend of clicks is continuing down with staff much more focused and able to avoid phishing attacks.

Successful Outcome

  • Phish-prone percentage dropped from 39% to 2.17% in one year
  • ***

    Now, back to your law firm: Would you like to find out if KnowBe4 is be the right security awareness training platform for you, too? Contact me today for a free demo. I think you’ll like what you see!


Leave a Reply

Contact Us: