skip to main content


Technology, Risk & Compliance

In an age of increasing reliance on secure information technology, information security and compliance has become more important in helping customers determine if security controls are operating as intended and how well their data and intellectual property are protected.



A pedestrian in New York sees a musician getting out of a cab and asks, “How do you get to Carnegie Hall?” The musician replies, “Practice, practice, practice!” It’s an old adage but holds a lot of truth. To be good at any skill requires practice. How good are your employees at recognizing and managing phishing emails? It is a well-known fact that phishing emails are the number one cause of successful cyber-attacks. The statistics are compelling:

  •  76% of businesses were victims of a phishing attack in 2018 
  • 92% of malware is delivered by email
  • 95% of attacks on business networks result from successful spear phishing
  • The average cost of a phishing attack to a mid-sized company is $1.6 million
  • 97% of people globally are unable to identify a sophisticated phishing email
  • 82% of manufacturers have experienced a phishing attack in the past year

Clearly, phishing emails resulting in ransomware, data breaches and payment fraud are on the rise and targeting the middle market and sole proprietors at an ever-increasing rate. Most companies today are struggling to protect their businesses from these types of attacks. Middle market companies are particularly susceptible to cyber-attacks due to limited security personnel and budget for managing the ever-changing cybersecurity threat landscape. 

Many executives simply “don’t know what they don’t know” about cybersecurity and rely on a trusted employee or business partner to handle security along with all of the other information technology requirements of the business. For most IT resources at midsized companies, cybersecurity is at best a part-time endeavor. As a result, the limited IT resources cannot possibly stay ahead of the cyber-threat curve. 

So, if phishing emails are the leading cause of cyber-attack, what is your organization doing to manage them? While there are many technology solutions on the market to identify and block phishing emails, the cold hard truth is that your best prevention is your “human firewall”. There is nothing better at identifying and managing phishing threats than a well-trained employee. Your people are the ones receiving the phishing emails. They will be the ones that recognize them and handle them appropriately, or they will be the ones to open them and click on the link that leads to a cyber-attack in your organization.

Is your organization conducting phishing campaigns? If not, why not? In order for your employees to become proficient at recognizing and dealing with them properly, you must make them practice! Any parent that has paid for music lessons or coached a sports team knows the importance of practice. The skills required to effectively recognize and manage phishing emails are no different. They require practice. 

It has been said that a cyber-attack on your organization is not a matter of “if,” but “when.” And chances are, it will be a phishing email that causes the attack. Let’s face it, your employees are on the front lines of the war on phishing. They are your “human firewall”. You owe it to them and to your company to give them the opportunity to practice their phishing recognition skills. Remember, it only takes one click by one employee on one phishing email to allow a cyber-attack which could result in significant financial and reputational damage to your company. 

A properly developed phishing campaign can significantly improve the effectiveness of your “human firewall” and reduce the risk of a phishing related cyber-attack.We have seen first-hand the damaging effects of cyber-attacks. We have numerous clients who have been the victim of a ransomware attack which disabled their business for several days or weeks. We have clients who have been hit with wire-transfer and banking fraud resulting from Business Email Compromise (BEC). Each one was totally unprepared for a cyber event. Most had no cybersecurity training program and no active phishing campaigns. 

Our firm first began to utilize active phishing campaigns in late 2016 as a result of our own struggles to deal with the flood of phishing emails and malware. Using a well-known phishing campaign tool, we ran our first phishing test unannounced to our entire employee base. Our results were typical. Thirty percent of our users clicked on embedded links in the test emails. Sixteen percent of our users supplied personal information on the linked phishing pages. Soon after our initial test, we provided mandatory awareness training for our entire staff. We went over the results of our initial campaign and thoroughly explained the impact. Our employees were surprised by the results of our initial test. Any one of those clicks could have resulted in malware or a data breach. 

After our initial campaign, we continued to provide our employees with opportunities to practice recognizing phishing emails. We utilized the tools provided by our service provider and designed campaigns that were similar to the most prevalent and successful real-world phishing emails. 

The results have been nothing short of amazing. Over the first year of our campaign, we noted a steady drop in the number of click-throughs by employees. In addition, our employees began reporting and avoiding more legitimate phishing emails! Our security staff continued to hone their phishing design skills to make it more challenging for our employees to spot the phishing tests. Over time, our risk rating for phishing-related cyber-attacks has gone from 30% to less than 3% as a result of the training and the regular practice in which our employees participate. That is a substantial reduction in risk! There is ample evidence that our results are not unique. A recent Ponemon Institute study found that training reduced click-throughs on phishing emails between 26% and 99%, with an average improvement of 64%.

It’s all about practice. The better your employees are at recognizing a phishing email, the better chance your company will be able to avoid a costly and embarrassing cyber-attack. There is little doubt that a well-run phishing and training campaign will reduce the risk of a cyber-attack. 

We have helped our clients design, deploy, and manage phishing campaigns that work. We can provide your people with the tools and training they need to become proficient in the battle against phishing scams. Contact a dedicated cybersecurity professional at UHY Advisors for more information on phishing campaigns and preparing your employees to minimize cyber risks.

Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.