The 2018 State of the Phish Report from Wombat Security Technologies confirms the threat from phishing is at an all-time high. Fortunately, employees do appear to be getting better at recognizing phishing emails.
The data for the latest State of the Phish Report comes from an analysis of millions of phishing email simulations using the Wombat platform, along with quarterly surveys on more than 10,000 information security professionals and a third-party survey of more than 3,000 technology users in the United States, UK, and Germany.
Threat from Phishing the Same or Greater than 2016
76% of surveyed information security professionals reported experiencing at least one phishing attack in the past 12 months, broadly comparable with the figures from last years report. Almost half of surveyed individuals (48%) thought the threat from phishing was greater in 2017 and that there had been an increase in phishing attacks last year. 48% of respondents said the rate of phishing in the past 12 months was broadly the same as the previous year.
While phishing has remained at similar levels as 2016, or has slightly increased, there appears to have been a reduction in spear phishing attacks. 53% of infosec professionals said they had experienced spear phishing attacks in the past 12 months – a reduction from last year. However, out of those organizations that were attacked, the frequency of attacks had increased. 67% experienced between 1 and 5 attacks, 21% experienced between 6 and 15 attacks, and 12% had more than 16 attacks.
Employees are Getting Better at Recognizing Phishing Attempts
The report shows employees are getting better at recognizing phishing attempts. The Wombat report shows there has been a reduction in click rates in all four categories of phishing email simulations – consumer, corporate, commercial and the cloud. Clicks on cloud-based phishing emails had the greatest reduction, falling from 19% in 2016 to 6% last year. Click rates for corporate phishing simulations dropped from 15% to 10%, commercial click rates fell from 15% to 12%, and click throughs on consumer-focused simulations fell from 10% to 9%.
Some of the most successful phishing scams were online shopping security updates, corporate voicemail messages from unknown callers, and phishing emails claiming to be corporate email improvements. In these categories, the success rates were between 86% and 89%. The worst click through rates on phishing simulations were emails about database password resets and updated building evacuation plans, which had click through rates of almost 100%. These alarmingly high success rates are a major concern.
The worst performing industry was telecommunications with an average 15% click rate, followed by retail (14%), and consumer goods, government, and hospitality on 13%. Technology performed worst on commercial phishing scams with click rates of 31%. Consumer goods was worst for corporate phishing scams with a 19% click rate, and telecommunications was worst on consumer phishing scams with a click rate of 22%.
Fallout from Attacks was Worse in 2017
Employees may be better at recognizing phishing attempts, which is just as well as the severity of the attacks has increased year on year. Last year, only 27% of surveyed users said they had experienced a phishing-related malware infection. This year the percentage had increased to 49%. Compromised accounts increased from 17% in 2016 to 38% in 2017, and loss of data was up from 7% in 2016 to 13% in 2017.
The biggest cost of phishing attacks was loss of productivity (64%) loss of proprietary information (50%), and damage to reputation (45%).
In response to the threat from phishing, businesses have improved their phishing defenses. 95% train their employees how to avoid phishing attacks (up from 86% in 2014) and susceptibility to phishing is now tested by 76% of firms (up from 61% in 2014). It should be noted that unless susceptibility to phishing attacks is tested, firms will not be aware how effective their training has been.
Training methods used are CBT (79%), phishing simulations (68%), awareness campaigns (46%), in-person security training (45%), and monthly newsletters and notifications (38%).
The technologies to prevent phishing were email and spam filters (97%), advanced malware analysis (47%), outbound proxy protection (44%) and URL wrapping (31%).