The Proofpoint 2019 State of the Phish Report has revealed that while phishing is still used to infect users with malware, 70% of phishing attacks are concerned with obtaining credentials.
In the past 12 months there has been a major increase in phishing attacks. The last time the report was produced in 2017, 38% of InfoSec professionals reported having experienced at least one account compromise as a result of a phishing attack in the past 12 months. This year, 65% of InfoSec professionals had experienced compromised accounts from phishing attacks in the past year.
The 2019 State of the Phish Report suggests credential phishing attacks tripled between the 2nd and 3rd quarters of 2018. Malware attacks through phishing emails remained constant between 2017 and 2018 and have been experienced by 49% of InfoSec professionals.
The increase in credential phishing attacks is a worrying trend. The report authors explain that in many cases, multiple services are accessible with a single compromised password. Attacks on organizations can therefore have severe ramifications.
To compile the report, Proofpoint surveyed more than 15,000 InfoSec professionals from companies around the globe. The company also analyzed the data from millions of phishing simulation emails sent through the Wombat Security platform.
The report shows that 83% of survey respondents have been targeted with phishing attacks in the past year, up from 73% in 2017. 96% of respondents said the rate of phishing attacks had either stayed the same or increased in the past 12 months.
The 2019 State of the Phish Report indicates 69% of phishing attacks include a hyperlink in the email which directs users to a web page where they must enter their login credentials. 17% of phishing emails use direct data entry forms and just 14% now use malicious email attachments.
The lures that are most successful were email password change requests, toll violation notifications, updated building evacuation plans, and invoice and payment requests.
The entertainment sector fared worst with a 16% response rate to phishing email simulations. In healthcare, an often-targeted industry sector, the response rate was 8% although 16% of phishing emails were opened.
95% of surveyed InfoSec professionals said employees had been provided with security awareness training and were taught how to identify phishing emails. The majority of InfoSec professionals had other controls in place to prevent phishing attacks, such as spam filters and threat monitoring platforms.
While there was a major rise in phishing attacks since 2017, all forms of attacks saw an increase since last year.