Employers urged to 'prioritise security training, practise cyber hygiene'
More than 30% of phishing emails that were sent to Singaporean employees in a coordinated exercise have been opened, according to a new report, which underscored the need for employers to prioritise security training.
The first coordinated phishing exercise held as part of the Exercise SG Ready (ESR) 2025 found that over 30% of phishing emails sent to more than 4,500 employees between February 15 and 28 were opened.
Another 17% of the recipients also clicked the phishing link, eight per cent higher than the average global phishing rate.
The click rate between large and small companies were also closely tied, according to the report.
"The exercise findings indicate that more can be done to enhance the security awareness of employees, particularly those working in SMEs, to reduce the risk of successful phishing attacks," said Kok Ping Soon, chief executive of the Singapore Business Federation, in a statement.
"We urge all businesses to prioritise security training, practise cyber hygiene and encourage a culture of vigilance among employees."
According to the report, phishing emails that were related to internal communications were most likely to be clicked by employees.
This suggests that employees generally were "less guarded about the authenticity of emails claiming to originate from within the organisation."
The findings reflect data from KnowBe4 last year that showed HR-related and IT-related phishing emails continue to victimise employees across the world.
The exercise comes as Singapore sees the monthly overall phishing attack volume in Singapore surged by 37% in 2024, according to Abnormal Security.
It found that the median monthly phishing attacks targeting businesses in Singapore was 682 attacks per 1,000 mailboxes.
"Cybersecurity is a major concern for businesses due to the increasing frequency and sophistication of cyberattacks, which can result in financial losses, reputation damage and legal liabilities," Kok said.
To boost Singapore's cyber resilience, the SBF, Nexus, and the Ministry of Defence (MINDEF) carried out the Exercise SG Ready 2025.
According to the SBF, the coordinated phishing exercise saw close to 200 businesses involved, of which over 80% were small and medium enterprises.
"We are encouraged by the strong participation by businesses in this first run of the coordinated phishing exercise," said SLTC Psalm Lew, Director of Community Engagement, Nexus, MINDEF, in a statement.
"The results underscore the importance of agencies, businesses, and communities coming together to work on a whole-of-society response to security threats through Total Defence."
