Wombat Security Technologies has released its 2018 State of the Phish Report – an analysis of data from tens of millions of simulated phishing attacks conducted through its Security Education Platform over the past 12 months. The report also provides insights on the current state of phishing from quarterly surveys sent to its customers, highlighting the frequency of phishing attacks on organizations, the impact those attacks are having, and the steps being taking to reduce risk.
The State of Phishing in 2017
Phishing attacks are pervasive – They are a threat across all industry sectors. The Wombat quarterly surveys show that 76% of businesses experienced a phishing attempt in 2017, similar to the percentage of companies that experienced phishing attacks in 2016.
Email is the main attack vector, but there has been an increase in phishing using other vectors such text messaging platforms/SMS (Smishing) and the telephone (vishing). 45% of respondents to the survey said they had experienced either a vishing or smishing attack in the past 12 months, a 2% increase from 2016.
When asked how 2017 compared to 2016, 48% of respondents said phishing attacks have increased and 48% said the rate of phishing attacks has remained constant. Only 4% believed the rate of phishing attacks had declined.
Fewer companies experienced spear phishing attacks such as business email compromise attacks in 2017. 53% of companies reported experiencing these attacks which is a 16% fall from 2016. However, many companies have been extensively targeted and have experienced high number of spear phishing attacks. 67% experienced between 1 and 5 attacks and 21% experienced between 6 and 15 attacks in 2017.
What Types of Phishing Emails Are Proving Effective?
The analysis of responses to simulated phishing emails through the Wombat Security’s Security Education Platform has shown that average click rates have fallen year-over-year in all four categories of phishing emails: Consumer, corporate, commercial, and cloud.
Consumer-based phishing emails include lures such as frozen accounts, gift card notifications, photo tagging notifications and bonus miles. Corporate emails include HR documents, benefits enrollment messages, invoices and full mailbox notifications. Commercial phishing emails are business-related but not organization-specific, such as shipping confirmations and wire transfer requests. Cloud emails include messages such as links to online file-sharing services and cloud storage services.
The types of emails most commonly clicked by employees in 2017 were in the commercial category, which had an average click rate of 12%. This was followed by corporate emails with an average click rate of 10%, consumer-based phishing emails with an average click rate of 9% and cloud-based phishing emails with an average click rate of 6%. In 2017, businesses concentrated on using consumer and corporate phishing templates for their campaigns, but the high click rates on commercial-style phishing tests shows that these types of phishing tests should be increased.
The most commonly clicked messages, with a failure rate of almost 100%, were database password reset alerts and updated building evacuation plans. Emails about corporate email improvements had a failure rate of 89% and messages related to online shopping, security updates, and corporate voicemails from an unknown caller had a failure rate of 86%.
Patching of Browsers and Plug-Ins Needs to Improve
When end users fall for a phishing simulation, the Wombat platform fingerprints the user’s browser and plug-in and checks software versions. Since phishing is often combined with exploits of browser vulnerabilities it is important to ensure that all plugins are promptly patched. However, Wombat’s fingerprinting showed that Adobe PDF was out of date 22% of the time, Adobe Flash was out of date 21% of the time, Java was outdated 12% of the time and Silverlight was outdated 9% of the time.
Impact of Phishing on Businesses
Security awareness training and phishing simulations help employees to recognize and report phishing threats, and its importance cannot be overstated. Successful phishing attacks can prove incredibly costly for businesses. When asked about the consequences of successful phishing attacks, 49% of respondents said responses to phishing emails had resulted in malware infections, 38% said they had resulted in accounts being compromised, and 13% said they had lost data as a result of successful phishing attacks. 30% of respondents said they had experienced other harm such as loss of time, money, and faced business disruption.
Tactics Used to Reduce Susceptibility to Phishing
Most businesses (97%) use email filtering solutions to reduce the volume of malicious messages that are delivered to end users’ inboxes. 47% have deployed advanced malware analysis tools, 44% use outbound proxy protection, and 31% use URL wrapping.
76% of businesses are now measuring their susceptibility to phishing attacks, compared to 66% in 2016. There has also been an increase in the number of companies that are training end users how to identify phishing attacks. In 2016, 92% of firms provided anti-phishing training to employees. In 2017 the figure rose to 95%. 54% of businesses said that they have been able to show that susceptibility to phishing attacks has reduced as a result of their training efforts.
The most commonly used training tools were CBT courses (79%), phishing simulation exercises (68%), videos and poster campaigns (46%), in-person security awareness training (45%), and newsletters and monthly notifications (38%). Businesses are realizing that annual training is no longer sufficient. 40% of firms now provide quarterly training, 35% provide training monthly, and 5% conduct training biweekly. 19% only provide training annually.
As anti-phishing training programs mature, click rates fall. There was an average reduction in click rates of 30% between year one and year two of running an anti-phishing training program.
69% of firms now assess the risk each employee poses to the organization, with multiple phishing simulation failures most commonly resulting in counselling from a manager (74%), removal of access to systems (25%), termination (11%), or a monetary penalty (5%). 30% of firms take other actions such as providing additional training, one-on-one training sessions, or counselling from the IT department.
Phishing Susceptibility by Industry
There were significant differences in average response rates to phishing email simulations across industry sectors. Overall, the telecommunications industry fared worst with average click rates of 15%, closely followed by the retail industry on 14%, consumer goods, government, and hospitality on 13%, and entertainment and technology on 12%. The defense industrial base fared best with click rates of just 3%.
Technology companies performed worst on commercial-based phishing simulations with an average response rate of 31%, followed by government (22%) and entertainment (21%).
Consumer goods companies fared worst on corporate-based phishing simulations with an average response rate of 19%, followed by technology (15%), government (14%), and entertainment (13%).
Consumer phishing email click rates were highest in the telecommunications industry (22%), followed by consumer goods (12%), retail (11%), and healthcare and technology firms (10%).