Phishing is the most common method of attacking organizations and it continues to cause problems for IT departments and considerable losses for organizations. A new report from Proofpoint has revealed the extent of phishing and how often the attacks succeed.
The data for the report came from a survey of more than 3,500 working adults and 600 cybersecurity professionals in Australia, France, Germany, Japan, Spain, the United States, and United Kingdom, more than 50 million phishing simulation emails, and over 9 million suspicious and malicious emails reported by Proofpoint customers.
Approximately 60% of cybersecurity professions who took part in the survey said phishing attacks had either declined or were occurring at the same level as in 2018. This does not mean peak phish has been reached but shows that phishing tactics have changed. Instead of sending huge volumes of phishing emails randomly, attackers are opting for much more targeted attacks. These spear phishing attacks target much smaller numbers of individuals and the personalization of the emails increases the probability of success.
88% of organizations said they faced spear phishing attacks in 2019, with 37% experiencing between 11 and 50 attacks in the past 12 months. 55% of organizations said they were the victim of at least one successful phishing attack in 2019.
The FBI reports that business email compromise scams are the main cause of losses due to cybercrime. Figures released in September show total worldwide losses to BEC attacks in the past 3 years has reached $26 billion. 86% of respondents to the Proofpoint survey said their organization faced at least one BEC attack in the past 12 months.
Phishing is primarily conducted via email, but other forms pose a significant threat. 84% of organizations said they faced phishing attacks via text (SMiShing) and 83% said attempts were made at voice phishing over the telephone (Vishing). 86% said they experienced social engineering attacks via social media and 81% said they faced USB-based attacks in the past 12 months.
Ransomware attacks are often headline news due to the massive ransom demands issued by some of the more advanced threat actors who target large enterprises, but there has been a general reduction in email-based infections. Survey respondents did however report an increase in phishing-related infections, such as ransomware downloads as a result of other email-based malware attacks. The Emotet Trojan being one of the most common email-based malware variants that downloads ransomware.
Proofpoint reports that 33% of organizations were attacked with ransomware in 2019 and paid the ransom and 32% did not pay the ransom after an attack. Out of those that did pay the ransom, 69% regained access to their data, 7% received additional ransom demands, and 22% paid and did not regain access to their data.
Layered security is essential for protecting against phishing and malware attacks, but technical defenses alone are not sufficient. It is important to also take steps to tackle the human element of phishing and email- and web-based malware and ransomware attacks. Security awareness training for all individuals is vital.
95% of organizations said they provided phishing awareness training and the frequency of training is increasing. Only 6% of organizations that provide training only do so once a year. 23% provide training twice a month, 38% conduct training monthly, and 23% provide it quarterly. There is certainly room for improvement, as 37% of organizations provide an hour or less of training each year.
78% of organizations that provided security awareness training said it resulted in a measurable reduction in phishing susceptibility. There was also a 67% increase in reported phishing emails compared to 2018, which shows that the training is effective at employees are getting better at identifying phishing emails.