Staff are still falling for phishing scams Attack.Phishing , with social media friend requests and emails pretending to come from Attack.Phishing the HR department among the ones most likely to fool Attack.Phishing workers into handing over usernames and passwords . Phishing scams Attack.Phishing aim to trick Attack.Phishing staff into handing over data -- normally usernames and passwords -- by posing as Attack.Phishing legitimate email . It 's a technique used by the lowliest criminals as part of ransomware campaigns , right up to state-backed hackers because it continues to be such an effective method . In a review of 100 simulated attack campaigns for 48 of its clients , accounting for almost a million individual users , security company MWR Infosecurity found that sending Attack.Phishing a bogus friend request was the best way to get someone to click on a link -- even when the email was being sent Attack.Phishing to a work email address . Almost a quarter of users clicked the link to be taken through to a fake login screen , with more than half going on to provide a username and password , and four out of five then going on to download a file . A spoof email claiming to be Attack.Phishing from the HR department referring to the appraisal system was also very effective : nearly one in five clicked the link , and three-quarters provided more credentials , with a similar percentage going on to download a file . Some might argue that gaining access Attack.Databreach to a staff email account is of limited use , but the security company argues that this is a handy for an assault . A hacker could dump Attack.Databreach entire mailboxes , access Attack.Databreach file shares , run programs on the compromised user 's device , and access multiple systems , warned MWR InfoSecurity . Even basic security controls , such as two-factor authentication or disabling file and SharePoint remote access , could reduce the risk . The company also reported bad news about the passwords that users handed over : while over 60 percent of passwords were found to have a length of 8 to 10 characters -- the mandatory minimum for many organizations -- the company argued that this illustrates how users stick to minimum security requirements . A third of the passwords consisted of an upper-case first letter , a series of lower-case letters , and then numbers with no symbols . It also found that 13.6 percent of passwords ended with four numbers in the range of 1940 to 2040 . Of those , nearly half ended in 2016 , which means one-in-twenty of all passwords end with the year in which they were created .