The anti-phishing solution provider Cofense has released its 2018 State of Phishing Defense report. The report provides insights into the most common phishing emails being used by cybercriminals and the message subjects that are most effective at fooling employees into clicking and revealing sensitive information. The report also breaks down phishing attacks by industry sector and shows which industries are most susceptible to phishing attacks.
In addition to explaining the most effective phishing emails, Cofense also offers anti-phishing tips and suggests best practices that should be adopted to make phishing simulation exercises and security awareness training more effective.
To compile the report, Cofense analyzed the responses to 135 million phishing email simulations from campaigns conducted by its customers. The firm used a sample of 1,400 clients for its analysis. Those firms were spread across 23 industries from more than 50 countries.
Cofense also analyzed more than 800,000 suspicious emails that were reported by employees via Cofense Reporter and approximately 48,000 real-world phishing campaigns, with data on the latter collected through the Cofense Intelligence service. The study used phishing data collected between July 2017 and June 2018.
2018 Phishing Statistics
- Phishing is the number one cyber-attack vector
- 91% of all data breaches start with a phishing email
- 92% of all malware is delivered via email
- On average, each email user receives 16 malicious emails in their inbox every month
- 1 in 10 reported emails are malicious
- 21% of malicious emails contain attachments (malware or links hidden in attachments)
- Business email compromise emails are rarely detected and reported
- More than 50% of reported emails are related to credential theft
- The most common credential phishing emails attempt to obtain Office 365 logins
What are the Most Effective Phishing Emails
Cofense compiled a top then list of phishing emails, which is based on the most successful phishing campaigns of 2018. Six of the top ten phishing campaigns used “invoice” as the subject line, with a further campaign using “customer invoice”. Invoice emails accounted for five of the top six phishing campaigns of 2018. “Payment remittance” was used in the second most successful phishing campaign of 2018. “Statement” and “Payment” completed the top 10.
The top three reported phishing email subjects varied by industry sector, although “invoice” emails were the most commonly reported in all industries apart from healthcare, where “payment notification” was most common. Emails claiming there is a new message in a mailbox or a new fax message were also common, as were payment notifications. These common phishing subjects are what businesses should concentrate on when training employees along with training on other active threats.
While it is common for anti-phishing and security awareness training to be provided annually this is no longer enough. Cofense suggests that training should be conducted far more regularly – at least every quarter. While many businesses punish employees for failing to identify malicious emails, it is far more effective to concentrate on providing further training those employees and doing more to encourage employees to report potential email threats.
What is clear from Cofense research is that training and phishing simulations are effective at reducing susceptibility to phishing attacks. The more training that is provided, and the more practice employees have at identifying phishing emails (through simulations), the more resilient organizations will be to phishing attacks.
You can download the Cofense 2018 State of Phishing Defense Report here.