How Sonark Reduced Phishing Clicks by 60% in 90 Days

How Sonark Reduced Phishing Clicks by 60% in 90 Days

Phishing remains the #1 attack vector compromising Canadian SMBs. Attackers know that gaining employee access is easier than breaking through technical defenses. This case study demonstrates how Sonark helped a mid-sized Canadian accounting firm dramatically reduce phishing risk and build a security-conscious culture.

The Challenge: High Phishing Vulnerability

Our client was a 50-person accounting firm based in Toronto with multiple satellite offices. The firm handled sensitive financial information, tax returns, and confidential client data. Despite having basic email filters, employees were falling for phishing attacks at an alarming rate.

The Baseline Assessment

When Sonark conducted the initial security assessment, we found:

• Phishing Click Rate: 35% of employees clicked on simulated phishing emails
• Credential Submission Rate: 18% of phishers entered their credentials into fake login portals
• Training Gaps: Employees had never received formal security awareness training
• Incident Response: No documented procedures for reporting suspected phishing
• Leadership Understanding: Security was viewed as an IT problem, not a business risk

These metrics revealed significant vulnerability. With 1 in 3 employees clicking phishing links, the firm was essentially leaving doors open for attackers.

The Business Risk

For an accounting firm, a successful phishing compromise could mean:

• Unauthorized access to client financial accounts
• Data theft of confidential tax information and business records
• Wire fraud from compromised executive email accounts
• Ransomware deployment that could shut down operations for weeks
• Regulatory fines and lawsuits from affected clients
• Reputational damage that could lose client relationships

The partner team understood they needed to act.

The Sonark Implementation: Three-Phase Approach

Phase 1: Assessment and Strategy (Weeks 1-2)

We began with comprehensive assessment:

• Baseline Phishing Simulation: Deployed 100 realistic phishing emails to the entire organization to measure baseline vulnerability. 35 employees (70% of active workers) clicked the link; 9 submitted credentials.
• Security Awareness Survey: Surveyed employees to understand their security knowledge and awareness gaps. Results showed employees couldn't identify common phishing tactics.
• Risk Analysis: Identified high-risk roles (accounting staff, finance managers, executive assistants) who would be targeted in advanced phishing attacks.
• Customized Training Plan: Developed role-specific training modules tailored to the firm's specific risks.

We presented findings to the leadership team with clear metrics showing the risk and a roadmap for improvement.

Phase 2: Customized Training Rollout (Weeks 3-6)

Rather than generic security training, we created accounting-firm-specific content:

• Executive Module: Trained partners on how to spot business email compromise (BEC) attacks and wire fraud schemes targeting their authorization.
• Finance and Accounting Module: Taught staff to identify phishing attacks targeting financial information, suspicious payment requests, and invoice fraud.
• Administrative Module: Trained support staff on credential security, password hygiene, and reporting procedures.
• Everyone Module: Core training on phishing identification, reporting mechanisms, and response procedures.

Training was delivered via short videos, interactive modules, and live Q&A sessions. Each module took 15-20 minutes, minimizing disruption to daily work.

Phase 3: Ongoing Simulations and Reinforcement (Weeks 7-12)

Knowledge alone doesn't change behavior. We deployed regular simulations with reinforcement training:

• Week 4 Simulation: Sent phishing emails after initial training to measure early progress.
• Week 8 Simulation: Another round to track improvement after 4 weeks of training.
• Week 12 Simulation: Final assessment at the 90-day mark.

Each simulation was followed by targeted training for employees who fell for the phishing attempt. We identified click patterns and provided personalized coaching to high-risk individuals.

Results: 60% Reduction in Phishing Clicks

The Numbers

The results exceeded expectations:

• Day 1 Baseline: 35% phishing click rate
• Day 30: 26% phishing click rate (-6 percentage points)
• Day 60: 18% phishing click rate (-17 percentage points from baseline)
• Day 90: 14% phishing click rate (-21 percentage points from baseline, 60% reduction from baseline rate)

More importantly, credential submission dropped significantly:

• Baseline: 18% of phishing email recipients submitted credentials
• Day 90: 3% of phishing email recipients submitted credentials (83% reduction)

This means fewer employees would fall for fake login portals designed to steal credentials.

Engagement and Culture Changes

Beyond the metrics, we observed cultural shifts:

• Reporting Increase: Suspicious email reporting increased 400%. In the baseline period, employees reported 2-3 suspicious emails per month. By month 3, they reported 8-12 per month.
• Employee Confidence: Survey responses showed 78% of employees now felt confident identifying phishing, up from 12% in the baseline survey.
• Leadership Engagement: Partners actively discussed phishing risks in team meetings and reinforced good security practices.
• Reduced False Positives: Better training meant employees didn't over-report legitimate emails, improving signal-to-noise ratio for security alerts.

Key Success Factors

1. Executive Buy-In

Success required partner involvement from day one. When partners understood the risk and committed to the program, employees took it seriously. Leadership participation was visible and consistent.

2. Role-Specific Training

Generic security training fails because employees don't see the relevance. By creating accounting-firm-specific scenarios, we made the training immediately relevant and memorable.

3. Ongoing Simulations

A single training session doesn't create lasting behavior change. Regular simulations with reinforcement training kept security top-of-mind and created accountability.

4. Psychological Safety for Reporting

We emphasized that reporting suspicious emails was good, not a sign of failure. We created positive reinforcement for reporting and counseling rather than punishment for falling for simulations.

5. Personalized Remediation

Employees who repeatedly clicked phishing links received additional targeted training and coaching rather than generic remediation.

Lessons Learned

Behavior Change Takes Time

The largest drop occurred between weeks 4-8, not immediately after training. Employees needed to practice and see multiple simulations before behavior truly changed.

Role Matters

Administrative staff improved faster than senior staff. Executive assistants and admin staff had higher initial vulnerability but showed the steepest improvement curves. Partners and senior staff required more personalized coaching.

Phishing Sophistication Increases Difficulty

Simulations using common phishing tactics saw 8-12% click rates by day 90. Simulations using advanced tactics (well-researched, personalized attacks) saw 18-22% click rates. No training can eliminate all vulnerability to advanced attacks.

Reporting is the Real Victory

The 400% increase in suspicious email reporting may have been the most important metric. Employees became the organization's front line of defense, reporting suspicious emails before they could be exploited.

Next Steps for the Firm

At the 90-day mark, the firm committed to ongoing security programs:

• Quarterly Training: Refresher training on emerging threats and new attack tactics
• Monthly Simulations: Reduced frequency to maintain momentum without over-simulating
• Dark Web Monitoring: Implemented dark web monitoring to detect if employee credentials were compromised elsewhere
• Advanced Training: Developed advanced training modules for high-risk roles
• Incident Response Plan: Documented formal procedures for responding to successful phishing attempts

The firm also implemented technical controls:

• Multi-factor authentication (MFA) for email and critical systems
• Advanced email filtering and anomaly detection
• Endpoint detection and response (EDR) to identify compromised systems
• Security awareness reminders in email signatures and team communications

The Business Impact

Six months after the program began, the firm experienced zero successful phishing compromises. Before the program, they had suffered 2-3 phishing incidents per year.

The cost of the Sonark program was roughly $8,000 for 90 days. A single successful phishing compromise (leading to ransomware, data breach, or wire fraud) costs $50,000-$500,000 in incident response, downtime, and regulatory fines. The ROI was clear.

More importantly, the firm had built a security-conscious culture where employees viewed themselves as partners in defense rather than security as an IT burden.

Takeaways for Canadian SMBs

This case study demonstrates several important principles:

• Phishing Risk Is Real and Measurable: Baseline simulations reveal your actual vulnerability. Most firms are shocked by the results.
• Behavior Change is Possible: With proper training, simulations, and reinforcement, you can dramatically reduce phishing susceptibility.
• Role-Specific Training Works: Generic training fails. Custom training for your industry and roles drives better results.
• Ongoing Programs Beat One-Time Training: Sustained programs outperform one-time security initiatives by 3-5x.
• Employee Reporting is Crucial: When employees report phishing, you contain threats early. Make reporting easy and safe.

Your Next Steps

If you're running a Canadian SMB, your employees are likely vulnerable to phishing attacks. The first step is measuring your current risk with a baseline phishing assessment.

Ready to reduce your phishing risk? Contact Sonark today to schedule a phishing risk assessment for your organization. Learn more about our phishing and security awareness programs or view our pricing to get started.