The results of Singapore's first coordinated phishing exercise held as part of Exercise SG Ready (ESR) 2025 were released today, highlighting the need for local businesses to further strengthen their cyber resilience to guard against phishing attacks. The phishing exercise co-led by Nexus, Ministry of Defence (MINDEF) and the Singapore Business Federation (SBF), saw close to 200 business involved in the exercise, of which over 80% were small and medium enterprises (SMEs).

Held over two weeks from 15 to 28 February 2025, phishing emails of various nature such as account and security alerts, and internal communications were sent to over 4,500 employees across five business sectors: Retail, Industrial, Consulting and Services, Environmental-related, and Healthcare and Medical. The exercise tracked recipient responses such as the number who opened the phishing emails, the number who clicked through the phishing links and the number of phishing emails reported.

Key Findings

Some of the key findings found in the ESR 2025 Phishing Exercise Report include:

i) More than 30% of the phishing emails were opened, and 17% of the recipients clicked the phishing link, which was 8% higher than the average global phishing rate, suggesting that a significant number of employees may be susceptible to real-world phishing attacks.

ii) Approximately 5% of employees reported the phishing attempt, which is 13% lower than the global industry reporting rate of 18%, underscoring the need for enhanced security awareness and reporting protocols.

iii) The click rate between large companies and SMEs were closely tied, indicating that both large and small companies are equally susceptible to phishing attacks.

iv) Among the different types of phishing emails sent, those on internal communications garnered the highest click rate, suggesting that employees generally were less guarded about the authenticity of emails claiming to originate from within the organisation.

These findings emphasised the need for organisations to review their cybersecurity response plans and readiness plans as well as to identify and mitigate inherent risks.

Need to Increase Cyber Resilience Among Businesses

Mr Kok Ping Soon, Chief Executive of SBF said, “Cybersecurity is a major concern for businesses due to the increasing frequency and sophistication of cyberattacks, which can result in financial losses, reputation damage and legal liabilities.  The exercise findings indicate that more can be done to enhance the security awareness of employees, particularly those working in SMEs, to reduce the risk of successful phishing attacks. We urge all businesses to prioritise security training, practise cyber hygiene and encourage a culture of vigilance among employees.”

SLTC Psalm Lew, Director of Community Engagement, Nexus, MINDEF said “We are encouraged by the strong participation by businesses in this first run of the coordinated phishing exercise. The results underscore the importance of agencies, businesses, and communities coming together to work on a whole-of-society response to security threats through Total Defence.”

Next Steps

Nexus, MINDEF and SBF, will continue to work with local businesses and increase their readiness for disruptions under their Memorandum of Understanding (MOU) on Total Defence for businesses. These include offering ongoing training and conducting follow-up exercises to reinforce best practices.

SBF is working with public and private sector partners to introduce a comprehensive suite of cybersecurity initiatives to help businesses put in place good cybersecurity practices and measures that are commensurate with their cybersecurity risk profile. Aligned with the requirements of the Cyber Essentials Framework, these include programmes to help businesses understand what they need to do to mitigate the impact of a breach and actionable suggestions on how to address identified security vulnerabilities.