Wombat’s ‘2016 State of the Phish’ Shows Double-Digit Rise in Phishing

Earlier this week, we released our 2016 State of the Phish™ Report, which reveals the results of a survey of hundreds of security professionals as well as data compiled from millions of simulated phishing attacks sent between October 1, 2014, and September 30, 2015. The report reflects the reality that CISOs, CSOs, and their infosec teams are facing worldwide on a daily basis: phishing and spear phishing attacks are more prevalent — and more dangerous — than ever.

Survey Says…Attacks, Victims Continue to Rise

Three key data points from the survey show year-over-year increases related to frequency and susceptibility to attacks:

• 85% of respondents said they were a victim of a phishing attack (up 13% from the prior report)
• 67% said they experienced a spear phishing attack (a 22% increase)
• 60% said they believe the rate of phishing attacks has increased overall

So, what are the ramifications of a successful phishing attack? From our perspective, it’s a question of means and ends; attackers have different means of exploiting their access, just as they have different end games — and those end games have different implications for the organizations targeted. When asked about the technical issues that resulted from successful phishing attacks on their organizations, respondents indicated that they faced the following:

• Malware infections (42%)
• Compromised accounts (22%)
• Loss of data (4%)

Looking beyond the technical side of phishing, we also asked respondents to identify the business impacts associated with successful attacks:

• 44% complained of lost employees productivity
• 36% faced consequences related to the loss of proprietary information
• 20% dealt with damage to their reputation

In general, the report shows that more aggressive social engineering practices are making phishing more difficult to prevent. Case in point, 55% of survey respondents reported experiencing voice phishing (vishing) and/or SMS/text phishing (smishing). Given that email-based attacks are often preceded by information gathering efforts like phone calls, social media trolling, and even in-person reconnaissance, it’s clear that cyber security is a many-faceted thing.

Data Says…Personalization, Topics Matter

As we mentioned, the survey told only one side of the phishing story. We also looked to the data generated through our simulated phishing attack tools over the course of a year (October 2014 through September 2015).* We analyzed a variety of data points, including the types of templates used during the simulated attacks, endpoint vulnerabilities discovered, and the types of emails reported by end users. In doing so, we were able to gain important insights into end-user behaviors and the factors that drive employees to click and interact with emails.

Templates and Click Rates

• Personalization increases engagement. Emails that included users’ first names had a 19% higher average click rate than messages with no personalization.
• Organizations used corporate-style templates in 56% of their mock attacks. Consumer-style templates were used in 29% of simulated messages. (Download the report for more information about how we define these and other template categories.)
• The most popular attack template used by organizations in 2015 was an electronic fax notification message. It had an average click rate of more than 15%. Another popular attack was an Urgent Email Password Change request, which had an average failure rate of 28%.
• Employees were most likely to click on emails that they expected to see in their business inboxes, including HR documents and shipping confirmations. They were more cautious with “consumer-oriented” emails like gift card offers and social networking notifications.

Endpoint Vulnerabilities

When an end user falls for one of our simulated attacks, we are able to fingerprint that user’s browser and plug-ins, which helps security teams identify (and address) risks. We looked back through those fingerprints and evaluated how likely it was for specific plug-ins to be out of date:

• Adobe PDF: 61%
• Adobe Flash: 46%
• Microsoft Silverlight: 27%
• Java: 25%

User-Reported Emails

We also looked through the data associated with our PhishAlarm® email reporting button and identified the types of attachments that were most likely to be included with messages that end users identified (and reported) as suspicious. PDFs were most likely to be flagged by users (29%), followed by DOC attachments (22%). HTML and XLS files came in at 13% and 12%, respectively. (The study identifies additional attachment types seen in reported emails.)

Wombat Says…Awareness, Education Training Can Help

In looking through the report, you’re likely to notice something we noticed as well: When asked what they use to protect themselves from phishing, a whopping 99% of respondents indicated they used email spam filters. This helps to prove a point we’ve made in the past: spam filters cannot catch everything.

“Phishing continues to be a highly effective attack vector that is increasingly responsible for a significant percentage of data breaches in the market today,” said Trevor Hawthorn, CTO of Wombat. “In spite of continued investments in a number of popular security technologies, phishing messages continue to reach end users and can result in serious damages to a company’s critical data and reputation.”

The good news is that security awareness training helps to reduce click rates. Our report shows that companies that used our simulated phishing attack products were able to reduce click rates by 50% after two years. Incorporating a more rounded program that pairs our interactive training with simulated attacks can accelerate and improve results, as is noted in our Case Studies and Results Snapshots (available for download in our Resource Center).

“Our methods have shown that a Continuous Training Methodology, which educates end users on cyber security threats, changes employee behavior and reduces risk within an organization,” said Hawthorn.

The simple fact is that lowering click rates lowers costs and improves the productivity of employees in general and infosec teams in particular. As was noted in 2015’s Cost of Phishing and Value of Employee Training, a Ponemon Institute study sponsored by Wombat, the majority of costs caused by successful phishing attacks are the result of the loss of employee productivity and uncontained credential compromise, among other factors — and these cost an average-sized company $3.77 million per year.

* In 2013 and 2014, ThreatSim® prepared the annual State of the Phish report. Wombat acquired ThreatSim in October 2015, which combined two of the leading simulated phishing attack tools, and enabled the companies analyze a broader set of data and survey results for this year’s report.