Phishing Attacks Down 10 Percent in 2016

• By Joshua Bolkan
• 01/19/17

Information security professionals are 10 percent less likely to report that their organization was the victim of a phishing attack in 2016 than in 2015, though that still means three-quarters of organizations were targeted and half of that same group said phishing attacks are on the rise, according to the latest State of the Phish report from Wombat Security Technologies.

The report found a 64 percent increase in the number of organizations measuring the risk posed by end users. The company also reported that it had examined more simulated phishing e-mails than in the previous year and found that click rates are improving for many industries and for organizations with mature programs.

"Our survey of the general public revealed that more people are aware of the concept of phishing than most of us probably thought," according to the report. "However, these same people struggled to identify what ransomware is. These end users also showed that they put their organizations at risk by doing things like checking personal e-mail on their work devices. Overall, this survey points to the fact that there is work to be done to teach people how to stay safe."

The report is based on "tens of millions of simulated phishing e-mails sent over a 12-month period," according to information released by Wombat, plus more than 500 survey responses from security professionals around the world representing more than 16 industries, as well as a survey of more than 1,000 end users worldwide.

Other key findings of the report include:

• Users in the education industry were more likely to fall for phishing e-mails that appeared to be corporate communications, clicking through on these phishing attempts at a 30 percent rate — double the general population average of 15 percent;
• In the United States, 65 percent of survey respondents correctly answered the question, "What is phishing?" In the United Kingdom, 72 percent of respondents answered correctly;
• 44 percent of infosec professionals surveyed said their organization was the target of a phishing attack via phone call or SMS message, a decrease of 20 percent compared to 2015;
• 38 percent of respondents said phishing had caused a disruption to employee activities and 27 percent said phishing had led to a malware infection;
• 41 percent of respondents said they measure the cost of phishing through loss of proprietary information and 35 percent said they measure the loss of employee productivity;
• Only 34 percent of end users surveyed in the US correctly answered the question, "What is ransomware?" UK respondents did only slightly better at 38 percent;
• Among security professionals surveyed, 34 percent said their organization had been attacked with ransomware and 2 percent of those who said they were attacked told researchers they had paid the ransom;
• 61 percent of respondents said their organization had been attacked via spear phishing, or a phishing attack targeted to a specific individual, a decrease of 10 percent compared to 2015;
• In the US, 50 percent of end users surveyed said they check personal e-mail on their work computer and 49 percent said they check work e-mail on their mobile phone;
• E-mail and spam filters are the most commonly reported phishing protection, at 94 percent, a decrease of 5 percent from 2016;
• Advanced malware analysis came in second at 63 percent, an increase of 26 percent compared to 2015; and
• Cloud e-mails, such as those asking end users to download documents or using a file-sharing service, had the highest click-through rate at 19 percent. Consumer e-mails had the lowest rate at 10 percent.

The full report can be found at info.wombatsecurity.com.