Ordinateur portable protégé par une solution de sécurité informatique

2020 ‘State of the Phish’: Security Awareness Training, Email Reporting More Critical as Targeted Attacks Spike

Today, we launch our sixth annual State of the Phish report, a data-rich study that examines phishing trends on a global level. Providing an in-depth look at user phishing awareness, vulnerability and resilience, the report compiles data from multiple sources:

  • A survey of more than 3,500 working adults across seven countries (the U.S., Australia, France, Germany, Japan, Spain, and the UK)

  • A survey of more than 600 infosec professionals across those same seven countries

  • Nearly 50 million simulated phishing attacks sent by Proofpoint customers over a one-year period

  • More than 9 million suspicious emails reported by our customers end users

Key Findings

  • Nearly 90% of organizations experienced targeted phishing attacks in 2019 – Results of the infosec survey revealed that 88% of organizations worldwide faced spear phishing attacks and 86% dealt with business email compromise (BEC) attacks. This aligns with Proofpoint threat intelligence, which has shown a trend toward more targeted, personalized attacks over bulk campaigns.

  • The volume of reported email increased 67% year over year – End users reported 9.2 million suspicious messages via Proofpoint’s PhishAlarm® in-client email reporting button in 2019. Reporting should be regarded as a critical metric, as it’s a prime indicator of positive user behaviors. It’s also a valuable opportunity for organizations, as user-reported messages can alert infosec teams to potentially dangerous messages that evade perimeter defenses.

  • The vast majority of organizations said that security awareness training reduces phishing susceptibility – Nearly 80% of survey respondents indicated that their activities have led to measurable improvements.

  • Infosecurity professionals reported a high frequency of social engineering attempts across a range of methods – Cybercriminals frequently apply phishing techniques outside the inbox. In 2019, 86% of organizations dealt with social media attacks, 84% reported SMS/text phishing (smishing), 83% faced voice phishing (vishing), and 81% reported malicious USB drops.

  • Many working adults fail to follow cybersecurity best practices – Infosec teams should recognize how users’ personal choices breed organizational risk. For example, 45% of working adults admit to password reuse, more than 50% do not password-protect home networks, and 90% said they use employer-issued devices for personal activities. In addition, 32% don’t know what a virtual private network (VPN) is.

Download the Report for More Global Findings and Regional Insights

The State of the Phish report offers critical, actionable insights that will help you adopt a people-centric approach to cybersecurity. Download your copy for access to additional global findings, as well as regional survey results for each of the seven countries listed above. You’ll find information about global user awareness levels; the impacts phishing and ransomware are having on organizations worldwide; and high-level and granular views of phishing failure rates and email reporting rates.

In addition, be sure to register for our January 30 webinar, which will highlight State of the Phish analysis and advice about using the report to guide data collection efforts and cybersecurity education initiatives within your organization.