Learn how phishing scams exploit workplace vulnerabilities, and discover expert tips to strengthen defenses with AI, zero-trust, and employee awareness

In a recent nationwide “Total Defence” (sic) campaign in Singapore where 4,500 employees (80% of whom were from small- and medium- sized enterprises [SMEs]) were sent emails with phishing links embedded in the content, over 30% had read the emails, and about 17% had actually been tricked to activate the URLs.

About 5% had reported the phishing emails, compared with the global industry reporting rate of 18%. Those on internal communications had garnered the highest click rate, suggesting that, in the workplace, employees were generally less guarded about the authenticity of emails claiming to originate from within the organization — particularly those in SMEs.

What lessons can be picked up from the results? Two spokespersons from cybersecurity agencies have offered their recommendations here.

Seeing beyond phishing click rates

According to Abhishek Kumar Singh, Head, Security Engineering, Check Point Software Technologies (Singapore), the real priority is not just in lowering the click rate on phishing links, but about “building a stronger security posture through layered defenses.”

This means equipping employees with better cyber security awareness, using AI-driven phishing detection, and enforcing zero-trust policies to reduce risk. Beyond just measuring clicks, businesses should track how often employees submit credentials, download attachments, or report phishing attempts — these deeper insights reveal the actual exposure to threats. Also:

  • To counter phishing, organizations need smarter security measures. Filtering out malicious content before it reaches users; using AI to detect suspicious emails; and flagging unusual user behavior patterns can stop threats before they escalate.
  • Zero-trust security should be the standard, with multi-factor authentication, adaptive login security, and automated incident responses helping to contain threats early.
  • Simulating phishing attempts with real-world attack scenarios can also help employees recognize and resist scams.
  • At the individual level, always double-check sender details, avoid clicking unfamiliar links, and enable multi-factor authentication for critical accounts.
  • At the corporate level, teams should focus on providing ongoing security training, proactive defenses, and strong access controls to stay ahead of evolving phishing threats.

Singh added: “On a technical level, businesses should ensure their email systems can block spoofed emails using authentication tools like DomainKeys Identified Mail, Sender Policy Framework, and Domain-based Message Authentication, Reporting, and Conformance. Scanning suspicious links, analyzing email patterns with AI, and tapping into real-time threat intelligence can also prevent credential theft and malware attacks.”

Stronger security starts with awareness

According to Patrick Tiquet, VP (Security & Compliance), Keeper Security: “Attackers frequently exploit internal communications so as not to arouse suspicion, making it critical for organizations to implement email authentication protocols such as DMARC, and foster a culture where employees question messages that don’t seem quite right and verify them before acting. Also:

  • Beyond providing continual phishing-awareness training, SMEs should enforce strong password management, enable multi-factor authentication and use privileged access controls to limit the damage from compromised credentials.
  • The low reporting rate of phishing emails is also concerning: security teams cannot defend against threats they do not know about.
  • Encouraging employees to report suspicious emails and automating threat detection are critical steps in strengthening defenses.

What about employees elsewhere?

The phishing test involved mostly those in SMEs in Singapore. What about those in larger corporations in and outside of the country?

Generally, while the results of Singapore-based phishing test have highlighted specific vulnerabilities within the country’s SMEs, they also serve as a general wake-up call to organizations around the world. Remember:

  • Phishing is not confined by borders — it is a universal threat that evolves with technological advancements, such as AI-driven attacks and multi-channel phishing campaigns.
  • Organizations worldwide must recognize that effective defense requires a blend of cutting-edge technologies such as AI-powered detection systems and robust human-centric strategies, including behavior-based training and proactive reporting mechanisms.
  • By fostering a culture of vigilance and continuously updating security measures, businesses and organizations (yes, not every organization is a business, and could be a non-profit, a governmental organization or !) everywhere can stay ahead of this ever-changing threat landscape and protect their assets, reputation, and people.