Proofpoint’s new 2020 “State of the Phish,” report is a comprehensive look at global cybersecurity and phishing attacks. The cybersecurity company’s latest study reveals over half of all organizations were victim to at least one successful phishing attack in 2019.
The new report takes data from Proofpoint’s near 50 million simulated phishing attacks as well as survey responses from over 600 IT security professionals. It also looked at the cybersecurity knowledge of over 3,500 employees in the UK, France, Germany, Spain, the US, Australia and Japan.
As well as finding 55% of companies had to remediate at least one successful attack, cybersecurity professionals are reporting increasing social engineering attacks, according to an Infosecurity report on the study.
In addition, 88% of global organizations report spear phishing attacks and 86% social media attacks. Figures that indicate no business is safe from the threat of cybercrime. A further 84% of organizations reported “smishing” attacks, which is phishing via SMS text message. Worryingly 83% said they had also experienced voice phishing attacks, dubbed “vishing.”
A further figure of concern is that 81% of companies included in the study had experienced and seen problems caused by malicious USB drops.
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
The good news is that security awareness training works
Proofpoint did also discover in its research that empowering individuals and employees to identify and disarm phishing emails and cyberattacks works. As many as 78% of companies included in the study’s survey report that security awareness training activities led to quantifiable reductions in phishing attack vulnerability.
Joe Ferrara, senior vice president and general manager of security awareness training for Proofpoint, says, “effective security awareness training must focus on the issues and behaviors that matter most to an organization’s mission.” He adds:
“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.”
Not only did Proofpoint find that the volume of phishing attacks is on the increase, but the attacks are becoming more sophisticated. The study found there had been more than nine million suspected phishing emails received by end users in 2019. This is an increase of 67% on comparable data from 2018.
2019’s phishing emails were also more targeted and personalized, denoting a trend towards the use of social engineering in cyberattacks.
An awareness of social engineering attacks
Not only do all employees, no matter the size of an organization, need to be security aware but they now need to understand they are at risk of social engineering attacks too.
These phishing attacks often use targeted personal data to trick an email recipient into believing they are looking at a genuine email. They are much more difficult for the average individual to spot. And, there are still many individuals and employees who will still automatically trust an email which contains their personal details.
Social engineering attacks are both fuelled by cybercriminals doing their own research but also obtaining information from data breaches that can be easily bought on the dark net.
A recent survey by GetApp revealed that only 27% of companies are providing social engineering awareness training. GetApp says:
“That means nearly 75 percent of businesses could be leaving their employees to fend for themselves against masters of manipulation. Companies must train employees on how to recognise social engineering techniques that are designed to exploit human nature for access to sensitive company data.”
Worryingly GetApp found that 8% of the employees in its survey had received no cybersecurity training at all.
Social engineering and comprehensive security awareness training
It’s been said before, but we really cannot reiterate it enough. Employees really are the last line of defence against phishing and cyberattacks. They are often also the first line of defence. Last year, in Proofpoint’s “Annual Human Factor Report,” the company’s vice president Kevin Epstein said:
“More than 99 percent of cyberattacks rely on human interaction to work—making individual users the last line of defense. To significantly reduce risk, organizations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users.”
Employees and individuals made aware of the nature and risks of phishing emails and social engineering attacks can be easily empowered to identify such ploys, ignore them, delete them, or report them. With security awareness training employees are far less likely to open a phishing email, click an unsavoury URL, open a malicious attachment, or fall for a scam call. They can protect both their own data and the information and network of the company they work for.
Any employee can be the recipient of a phishing email and no matter how intelligent and professional, if they don’t know the most current tactics of cybercriminals then they are at risk of falling victim to its sender.
Sign up for a free demo and find out how we’re already helping organisations just like yours.
Subscribe to the Proofpoint Blog