New State of the Phish Report Shows Positive Trends, But End-User Risk Remains

Share with your network!


We're excited to announce the release of the 2017 State of the Phish Report, our third-annual look at how end users are recognizing and responding to phishing attacks, and what infosec professionals are doing to mitigate the risks associated with this perennial threat.

The report compiles data from three sources:

  • Tens of millions of simulated phishing attacks sent through our platform over a 12-month period (October 2015 through September 2016)
  • More than 500 answers to a survey of infosec professionals across more than 16 industries
  • More than 2,000 answers from an independent survey of 1,000 U.S. and 1,000 UK end users

Following are several highlights from the report. You can download a full copy of the 2017 State of the Phish on our website.

The Volume of Phishing Attacks Appears to be Decreasing

Based on year-over-year comparisons, the infosec professionals we surveyed indicated that the volume of phishing attacks seems to be on the decline. This reported trend coincides with data from the Anti-Phishing Working Group’s Phishing Trends Report, 3rd Quarter 2016, which was compiled during the same general time frame that we conducted our survey.

Here is a sample of what infosec professionals told us they experienced in 2016:

  • 76% reported their organization had been victimized by a phishing attack (down 10% from 2015).
  • Fewer respondents said the rate of phishing attacks is increasing (51% in 2016 vs. 60% in 2015), and 45% said the rate of attacks is decreasing.
  • Nearly 10% fewer infosec professionals said they experienced a spear phishing attack (61% in 2016 vs. 85% in 2015).


Users Are More Alert to Suspicious Messages in the Morning

When we compiled the data related to our PhishAlarm® email reporting tool, we found that end users are most likely to report suspicious messages during the early hours of the work day. On a related note, more messages were reported on Tuesdays, Wednesdays, and Thursdays, with Thursday logging the most PhishAlarm clicks at 22%.

More Organizations Are Measuring Phishing Risk and Impact

We’ve long extolled the values of measurement and analysis when it comes to gauging cybersecurity risks. Though there is more to managing a successful security awareness training program than tracking numbers, the ability to establish a baseline and evaluate progress over time provides clear benefits on multiple levels (strategic program planning, reporting to stakeholders, etc.).

In this year’s survey, we were pleased to see that more and more infosec professionals are embracing the idea of tracking and managing end-user risk, as well as measuring the overall impact of phishing on their businesses:

  • 72% of respondents said that they assess the risk each end user poses to their organizations — a dramatic 64% increase from our 2015 survey.
  • The top way infosec professionals determine end-user risk is by evaluating security awareness and training performance (48%).
  • At 38%, “disruption of employee activities” was the most commonly cited negative impact of phishing attacks.
  • Infosec professionals measure the cost of phishing incidents in multiple ways, including the following:
    • Business impact from lost IP (41%)
    • Loss of employee productivity (35%)
    • Damage to reputation (8%)