76% of Organizations Report Being Victims of Phishing Attacks

According to new research, three in four (76 percent) organizations report being victims of phishing attacks. The findings indicate a 10 percent decrease from 2015. The third annual State of Phish report by Wombat Security analyzed data from tens of millions of simulated phishing emails over 12 months, in addition to 500 survey responses from infosec professionals and 2,000 survey responses from end users in the US and UK. Only 51 percent of respondents stated they felt phishing attacks were increasing overall – a 15 percent decrease from last year’s survey. The report noted it’s not likely that cybercriminals are diminishing their attacks but rather, an indication that they are “diversifying their tactics now that end users are becoming more savvy.”

“While attacks seem to be slowing, that does not mean that organizations should not continue to be vigilant in training their end users about security threats,” read the report. “The key is continuous training and reinforcement to keep security top of mind every day.”

For those that had fallen victim to such attacks, the majority (38 percent) cited a disruption of employee activity as a result. A separate report by the Ponemon Institute found lost employee productivity as the largest cost associated with phishing – an estimated $1.8M for a 10,000-person company. Source: Wombat Security, State of Phish 2017 Based on the results from its simulated phishing messages, Wombat Security revealed that end users are more likely to click on emails that they would expect to find in their work email boxes, and less likely to click on something consumer-related. Among the most popular attack templates were emails requesting a password update with a 24 percent average failure rate; a corporate e-fax (20 percent); a shipping notification (19 percent); an email password change (18 percent); and an email quota alert (18 percent). Fortunately, the report adds that there has been a significant increase in organizations investing in security training and awareness programs to help educate end users how to identify and avoid phishing attacks. For more key findings, read the full 2017 State of Phish report here.