Proofpoint’s State of the Phish Report Reveals Ransomware and Phishing Attack Trends; Underscores Need for Tailored Security Awareness Training, Particularly for Remote Workers

The Latest in Phishing: May 2019

90% of U.S. infosec survey respondents said their workforce shifted to working from home in 2020, yet only 29% trained users on safe remote working habits

Proofpoint, Inc. (NASDAQ: PFPT), a leading cybersecurity and compliance company, today released its seventh annual State of the Phish report, which explores enterprise phishing experiences and provides an in-depth look at user awareness, vulnerability, and resilience. More than 75% of surveyed infosec professionals said their organizations faced broad-based phishing attacks—both successful and unsuccessful—in 2020, and ransomware infections impacted 66% of third-party global survey respondents.

This year’s State of the Phish report examines global third-party survey responses from more than 600 information security professionals in the U.S., Australia, France, Germany, Japan, Spain, and the UK, and highlights third-party survey findings of 3,500 working adults within those same seven countries. The report also analyzes data from more than 60 million simulated phishing attacks sent by Proofpoint customers to their employees over a one-year period, along with approximately 15 million emails reported via the user-activated PhishAlarm reporting button.

“Threat actors worldwide are continuing to target people with agile, relevant, and sophisticated communications—most notably through the email channel, which remains the top threat vector,” said Alan LeFort, senior vice president and general manager of Security Awareness Training for Proofpoint. “Ensuring users understand how to spot and report attempted cyberattacks is undeniably business-critical, especially as users continue to work remotely– often in a less secured environment. While many organizations say they are delivering security awareness training to their employees, our data shows most are not doing enough.”

Proofpoint’s State of the Phish report emphasizes the need for a people-centric approach to cybersecurity protections and awareness training that accounts for changing conditions, like those experienced by organizations throughout the pandemic. Survey findings reveal a lack of tailored training. For example, 90% of U.S. infosec survey respondents said their workforce shifted to a work-from-home model last year, but only 29% said they trained users on safe remote working.

“The findings related to remote working situations in the U.S. are eye-opening,” said LeFort. “Nearly all the American infosec professionals we surveyed said they supported a new, remote working model for at least half of their organization’s workers last year. And yet fewer than a third of these respondents said workers were trained about security practices related to working from home. At the same time, three-quarters of U.S. workers say they allow their friends and family to access work-issued devices to do things like shop online and play games. These gaps represent a significant risk and reinforce the need for security awareness training initiatives that are tailored to the remote workforce.”

Proofpoint’s State of the Phish details actionable advice as well as a deep analysis of the phishing threat landscape to help reduce risk. Key global findings include:

  • More organizations experienced successful phishing attacks in 2020 vs. 2019 (57% vs. 55%) according to the third-party survey. In addition, business email compromise (BEC) attacks continue to be a serious concern.
  • Of the two-thirds of survey respondents who said their organization experienced a ransomware infection in 2020, more than half decided to pay the ransom in the hopes of quickly regaining access to data. Of those who paid, 60% regained access to data/systems after the first payment. However, nearly 40% were hit with additional ransom demands following an initial payment—a 320% year-over-year increase. Thirty-two percent reported that they subsequently agreed to pay the additional ransom demands—a 1,500% increase over 2019.
  • Eighty percent of organizations surveyed indicated that security awareness training had reduced phishing susceptibility. But while 98% of infosec professionals surveyed said their organization had a security awareness training program, only 64% offer formal training sessions to users as part of cybersecurity training initiatives.
  • Proofpoint customers’ overall average failure rate on phishing simulations was 11%, down from 12% in 2019. The overall average resilience factor of 1.2, indicating that, in general, these organizations’ users are more likely to report a suspicious email than to interact with it.
  • Manufacturing organizations faced the highest average volume of real-world phishing attacks in 2020 according to Proofpoint Threat Research. Organizations in this industry were among the most active in testing their users’ response to phishing threats, achieving an overall failure rate of 11%.
  • At the department level, purchasing teams were top performers, with a 7% average failure rate. Maintenance and facilities teams were the worst-performing departments analyzed, registering average failure rates of 15% and 17%, respectively.

Additional U.S.-specific findings show how much cybersecurity practices and behaviors can vary by region:

  • 90% of U.S. organizations required or requested most of their users to work from home in 2020, but only 29% train their employees about best practices for remote working.
  • 74% of U.S. organizations surveyed reported experiencing a successful phishing attack in 2020, 30% higher than the global average and a 14% year-over-year increase.
  • 68% of U.S. organizations paid a ransom following a ransomware attack in 2020, twice the global average.
  • 86% of U.S. organizations faced social attacks like pretexting and account takeover while 81% faced SMS/text phishing (smishing) attacks. Eighty percent reported dealing with weaponized USB drives, and 77% faced voice phishing (vishing) attacks.  At the same time, 53% percent of U.S. organizations said they strictly use simulated phishing attacks to deliver security awareness training to end users.
  • 82% of U.S. organizations use a consequence model, meaning there are punishments for users who repeatedly fall for real or simulated phishing attacks. This was the highest of all regions surveyed.
  • 75% of U.S. working adults said they grant friends and family members access to work-issued devices. This is well above the global average (52%) and an increase from 2019 (71%).
  • U.S. working adults scored the lowest globally when asked to identify the definitions of phishing and malware, with just over half of respondents answering correctly.

Organizations are encouraged to proactively develop people-centric cybersecurity strategies that account not only for shared experiences across regions, industries, and departments, but also the threats that are unique to their missions, goals, and people.

To download the State of the Phish 2021 report, and see a full list of global and regional comparisons, please visit: For more information on cybersecurity awareness best practices and training, please visit:


About Proofpoint, Inc.

Proofpoint, Inc. (NASDAQ: PFPT) is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube


Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.