2019 State of the Phish: Attack Rates Rise, Account Compromise Soars

We’re excited to announce the launch of our fifth annual State of the Phish Report, which offers insights into three key components of the phishing threat landscape: end-user understanding of fundamental cybersecurity concepts; an infosec view of social engineering attacks and impacts; and how security awareness training can be used to better manage end-user risk.

This year’s report draws data from three primary sources:

• A five-question third-party survey of more than 7,000 working adults across seven countries (the U.S., Australia, France, Germany, Italy, Japan, and the UK). Questions were designed to show how well end users understand commonly used cybersecurity terms like phishing, ransomware, and vishing.
• Nearly 15,000 responses to quarterly surveys sent to our database of infosec professionals (customers and non-customers alike) throughout 2018.
• Data from tens of millions of simulated phishing attacks our customers sent to their end users over a one-year period (October 2017 through September 2018).

Below, we highlight three key findings from this year’s report.

Key Finding #1: Social Engineering Attacks Increased across the Board

Overall, 83% of global infosecurity respondents experienced phishing attacks in 2018, an increase from 76% in 2017. However, this attack method wasn’t the only one that saw greater use last year; our survey respondents reported a higher frequency of all types of social engineering attacks year over year:

Source: 2019 State of the Phish Report

And before you write off USB drops as an attack method, it’s worth a look at recent research detailing 29 different ways USB devices could be used to compromise devices within your organization. It’s important to consider that end users are likely to be trusting of found devices like these (particularly if you haven’t educated them to the contrary). The rise (moderate though it may be) in organizations that experienced these attacks shows cybercriminals’ tenacity and desire to utilize all possible channels to exploit end-user behaviors.

Key Finding #2: Credential Compromise Has Soared Since 2016

Each year, we ask infosec professionals about the impacts they are experiencing related to phishing attacks. This year, we saw an interesting trend: Compromised accounts bypassed malware infections as the most commonly identified impact of successful phishing attacks.

In 2018, reports of credential compromise rose 70% over 2017, and they’ve soared 280% since 2016. The responses from the infosec audience reinforce the rise in credential-based phishing that Proofpoint researchers noted in its mid-2018 Protecting People report.  

Source: 2019 State of the Phish Report

Interestingly, we saw few organizations using data entry-style simulated phishing attacks, which mimic credential phishing by prompting users to submit login names, passwords, or other sensitive data. We highly recommend that infosec teams use these kinds of phishing tests to increase their defenses against credential compromise attacks — a worthy pursuit given that a single set of corporate credentials often provides access to multiple sources of sensitive content.

Key Finding #3: Baby Boomers Outperform All Others in Recognition of Phishing and Ransomware Terminology

We think it’s critical for infosec teams to realize that, at a fundamental level, many working adults still aren’t familiar with terms like phishing and ransomware — and that assumptions of familiarity could be negatively impacting security awareness training initiatives.

But we also wanted to illustrate the differences that exist at a generational level, particularly with millennials, who are playing such a significant role in today’s global workforce. Often, the perception is that these “digital natives” have a level of cyber-savvy that leaves them more aware of digital risks and, as such, more likely to understand cybersecurity best practices.

Unfortunately, it’s clear that a high level of cyber comfort does not translate into a solid sense of cybersecurity fundamentals. In fact, millennials fell significantly behind at least one other age group on all questions we asked, and baby boomers — arguably the least cyber-savvy demographic from our survey — outperformed all others in fundamental understanding of phishing and ransomware.

Source: 2019 State of the Phish Report

Download the Report for Additional Insights into the State of Phishing

“Email is the top cyberattack vector, and today’s cybercriminals are persistently targeting high-value individuals who have privileged access or handle sensitive data within an organization,” said Joe Ferrara, general manager of Security Awareness Training for Proofpoint. “As these threats grow in scope and sophistication, it is critical that organizations prioritize security awareness training to educate employees about cybersecurity best practices and establish a people-centric security strategy to defend against threat actors’ unwavering focus on compromising end users.”

Download your copy of the 2019 State of the Phish Report for a full look at the results of our global surveys (including regional data comparisons); how users across 16 industries are performing on simulated phishing tests; and the ways organizations can use threat intelligence and their security awareness training data to identify weak spots in security postures and address the users and departments that are putting them at risk.