Phishing attacks continue to threaten organizations’ digital security in droves. Kaspersky Lab prevented 46,557,343 phishing attempts in the second quarter of 2017 alone. Overall, close to one in ten (8.26%) of Kaspersky users encountered a phishing attack that quarter.
Recognizing the prevalence of phishing, it’s useful to examine the granular details of this attack method. Doing so can help organizations better train their employees and safeguard their sensitive data. Towards those ends, we turn to Wombat Security’s State of the Phish™ Report.
Now in its fourth year, the State of the Phish™ Report 2018 synthesizes many data sets. First, it reflects the simulated phishing campaign data collected between 1 October 2016 and 30 September 2017 from thousands of companies spread across 16 industries. Second, it draws upon more than 10,000 information security professionals’ responses to quarterly surveys about their organizations’ experiences with phishing. Finally, it incorporates a third-party phishing awareness study of more than 3,000 users in the United States, United Kingdom, and Germany.
Here are some of the major findings from State of the Phish™ Report 2018.
Findings and Factors
In Wombat Security’s latest report, 76% of information security professionals revealed that their organization experienced phishing attacks in 2017, a percentage which held steady from 2016. Those campaigns consisted of different phishing variations. For instance, forty-five percent of quarterly survey respondents reported vishing and smishing offensives during the year, representing a slight increase over the previous year. Additionally, the number of infosec professionals whose organizations weathered a USB-based social engineering attack declined by a quarter from 2016 to three percent. Finally, more than half (53%) of respondents witnessed spear phishing attacks in 2017, as compared to the 66% of professionals who did so in 2016.
Organizations saw an average click rate of 9% across all simulated attacks including those that leveraged consumer, corporate, commercial, and cloud attack email templates. Notwithstanding that relatively low number, some templates saw much higher failure rates. Templates that leveraged online shopping security updates saw a click rate of eight-six percent; those based on corporate email improvements registered an even higher rate of 89%.
As we all know, bad actors commonly use phishing as a platform to conduct secondary attacks. 49% of those companies unlucky enough to suffer a successful phish saw attackers follow up with a malware infection. Organizations also detected compromised accounts and loss of data at 38% and 13%, respectively. Less than a third of businesses saw additional consequences such as loss of time and money.
Wombat Security found that most organizations today measure the cost of phishing in terms of diminished productivity for their employees at 64%. Exactly half gauge business impacts through loss of proprietary information, followed by damage to reputation (45%). But organizations aren’t taking those costs sitting down. All but three percent of organizations use email/spam filters, with others drawing upon advanced malware analysis (47%), outbound proxy protection (44%), and URL wrapping (31%). Training on phishing attacks has also increased from 92% in 2016 to 95% in 2017. Seventy-nine percent of those companies leverage computer-based awareness training. Three-quarters of organizations use that form of training along with other methods like monthly notifications/newsletters and in-person awareness training on either a monthly or quarterly basis.
That being said, organizations do not experience phishing attacks the same way. Multiple factors shape these engagements. For instance, the maturity of a security awareness program can decrease employees’ average click rates; Wombat Security’s researchers detected a 30% improvement in click rates between a program’s first and second year. They also found that end users are more likely to report potential phishing messages on some days over others. Specifically, the greatest percentage of suspicious emails (22%) were reported on Wednesday, whereas Saturday saw the lowest percentage of potential phishing reports at just one percent.
An International Perspective
Wombat Security’s State of the Phish™ Report 2018 showed that experience and awareness of phishing tends to vary depending on an organization’s country of origin. To illustrate, while fifty-seven percent of U.S. companies experienced a phishing attack, just over a third (36%) of UK businesses weathered a phish. Similarly, 14% of U.S. organizations experienced data loss as a result of phishing; just one in twenty UK companies did the same.
Amy Baker, VP of Marketing at Wombat Security, notes there are even more differences between U.S. and UK companies:
We also saw some differences in the ways U.S. and UK organizations approach security awareness training. We found U.S. organizations opting for more interactive and more frequent training activities than their UK counterparts, and U.S. organizations were also more than twice as likely to realize quantifiable results from their training efforts.
Indeed, greater percentages of U.S. organizations opted for computer-based online awareness training (88%) and simulated phishing attacks (79%) than did their UK counterparts at 58% and 45%, respectively. Approximately two-fifths of American companies use those types of tools on a monthly basis, while just fifteen percent of UK firms do so. Even so, about the same percentages of companies in both regions implement those training methods quarterly (40% of U.S. organizations and 44% of UK organizations) or biweekly (5% of U.S. organizations and 6% of UK organizations).
At the same time, a third-party survey of more than 3,000 end users in the United States, United Kingdom, and Germany revealed that awareness of phishing and related digital threats isn’t all that it could be. For instance, when asked “what is phishing,” less than three-quarters of respondents in each of the three nations got it right. Just 61% of millennials knew what phishing is, as compared to 77% of users aged 55 and older.
Users’ awareness of ransomware is even worse. Alan Levine, security advisor to Wombat Security, elaborates on this finding:
The report confirmed that understanding of ransomware among working-age adults is still lacking despite the big attacks that took place last year – only 55% of UK technology users and 46% of US technology users could correctly define what ransomware was in 2017. German respondents fared even worse, with only 31% of the adults surveyed correctly identifying this threat in a multiple-choice query. These statistics should trouble us all because they indicate that, if users encounter ransomware, they are unlikely to know how to properly react, which could potentially put organizations at a far greater risk than if an attack was handled properly.
Those rates were still better than smishing awareness, however. Just 16% of all respondents knew about SMS/text-based phishing for the survey.
2018: An Opportunity to Improve
Above all else, Wombat Security’s State of the Phish™ Report 2018 highlights ways by which both organizations and users can improve their defenses against phishing. The former should consider investing (more) in the tools and employee training methods discussed above. At the same time, users should work to deepen their security awareness by familiarizing themselves with some of the most common types of phishing attacks.