Wombat Security Technologies has released its third annual State of the Phish Report. The report details the phishing trends from the past 12 months.
To produce the report, Wombat surveyed more than 500 information security professionals, obtained more than 2,000 answers from employed computer users and analysed the results from millions of phishing simulations sent using the firm’s ThreatSim® service.
The report shows the threat from phishing has increased once again. 51% of information security professionals said phishing attacks had increased in the past 12 months with 76% saying they were victims of at least one phishing attack in the past year, a higher percentage than last year’s survey. 61% said they had received spear phishing emails in the past year.
More organisations are now measuring end user risk. This year, 64% of organizations said they are measuring the risk of phishing, a significant increase from last year.
The main impact of phishing attacks was a disruption of employee activity and loss of productivity. The report cites a recent Ponemon Institute report that shows the loss of productivity as a result of phishing costs approximately $1.8 million a year for an organization with 10,000 employees.
The report shows that while more companies are conducting security awareness training, only 65% of employed computer users were able to answer the question ‘What is phishing?’ correctly. Knowledge of ransomware is poor, even though ransomware attacks have been widely reported in the media over the past year. 52% of employed computer users were not even able to make a guess as to what ransomware is.
As Wombat points out in the report, if end users do not know what phishing and ransomware are, they are unlikely to be employing best practices that prevent attacks or reduce risk.
Wombat says the most frequently failed simulated phishing attack has the subject line “Message from Administrator” – failed by 34% of users. The email asks employees to click on a link if they did not sign up for a new account.
There have been notable improvements in click rates over the past 12 months showing security awareness training is effective. The professional services industry registered a 47% improvement in click rates, followed by technology on 32%, energy on 27%, telecoms on 26% and finance on 19%.
Organizations are also improving their technology to prevent attacks, the most common being email spam filters (94% of organizations), advanced malware analysis (63%) and outbound proxy protection (48%).
However, patching is patchy. Wombat says Adobe PDF is out of date 31% of the time, Microsoft Silverlight is out of date 19% of the time and Adobe Flash out of date 12% of the time, although these figures are improvements from last year.