Phishing emails are one of the most devious and deceptive means of cyberattack. Often sneaking past automated filters, such emails use social engineering to look real and legitimate enough to trick unsuspecting users into revealing sensitive information.

Beyond automated security tools, there are more people-centric strategies that businesses should adopt to protect themselves against phishing attacks, as described in the 2020 State of the Phish report released Wednesday by the security firm Proofpoint.

Based on a survey of working adults and IT professionals as well as other factors, Proofpoint’s report defines phishing as any type of socially engineered emails. The intent could be to deploy malware, direct users to dangerous websites, or collect sensitive credentials.

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)

About 60% of the respondents said their organization faced fewer or about the same number of phishing attacks last year compared with 2018. That may seem like positive news. However, the trend is one that Proofpoint said it’s seen for a while.

Specifically, it means that cybercriminals are focusing on quality over quantity by launching more targeted, personalized attacks instead of just bulk campaigns.

Some 55% of the respondents dealt with at least one successful phishing attack in 2019. Around 54% of those hit by an attack suffered data loss, 49% saw credentials or accounts compromised, 49% were infected by ransomware, 35% were victims of some type of malware infection, and 34% suffered some type of financial loss or wire transfer fraud.


Organizations measure the costs of phishing attacks in a number of ways. The most common side effect was downtime hours for users, cited by more than half of the respondents. Other costs included remediation time for security teams, damage to reputation, business impacts due to loss of intellectual property, direct monetary losses, and compliance issues or fines.


The ultimate goal of many phishing emails is ransomware. Some 33% of the organizations surveyed for the report were infected with ransomware in 2019 and opted to pay the ransom. Another 32% were infected but did not pay.

Among those that did pay the ransom, 22% never regained access to their data, 2% acquiesced to follow-up ransom demands and got back their data, but 7% were hit with additional ransom demands and never recovered their data.

Looking at attacks by a specific method of social engineering, 88% of organizations faced spear phishing attacks, 86% faced business email compromise (BEC), 86% social media-based attacks, 84% smishing (SMS/text phishing), 83% vishing (voice phishing), and 81% malicious USB drops.

To help your organization better defend itself against targeted phishing attacks, Proofpoint offers the following tips:

Commit to building a culture of security

If you want to truly make a change—meaning a mindset and behavior shift that has a positive, day-to-day impact on your organization—you must commit to bringing cybersecurity to the forefront.

Remember that anyone in your organization can be a target of a phishing scam and that anyone in your organization can help or hurt your security posture.

Everyone in your organization should know how they can be more cyber-secure. A broad, companywide security awareness training program will help you do that.

Some 78% of the organizations surveyed for the report said they found a reduction in their phishing susceptibility due to their security awareness training.

Answer the three Ws

You may be familiar with the “five Ws and H” that guide journalists, researchers, and investigators: who, what, where, when, why and how.

At a minimum, answer these three first: 1) Who in my organization is being targeted by attackers? The answer is not as simple as looking at the top tiers of your org chart; 2) What types of attacks are they facing? Knowing the lures and traps attackers are using can help you better position your defenses; and 3) How can I minimize risk if these attacks get through? The answer is to use the information you’ve gathered to deliver the right training to the right people at the right time.

This exercise helps you defend against your most pressing and timely threats. Assessing vulnerabilities at a more granular level and matching those up against your threat intelligence will let you pinpoint where perfect storms are brewing.

Make time for agility

When we get busy, we may want to take a “set it and forget it” approach to cybersecurity. That’s understandable. But it doesn’t work in an era of constantly shifting attack techniques and evolving threats.

Building a security culture takes continued effort and attention. Plan for regular training and reinforcement but be responsive to changes in the threat landscape (and your organization).

Attackers’ targets change over time so the firm recommends identifying the employees most actively targeted by cyberattacks on a monthly, if not weekly, basis.

By pairing granular analysis with organization-wide training, the people being targeted will have a cybersecurity foundation you can build on with additional, targeted training.

Understanding general phishing trends is important. Having benchmarks to measure your users against them is valuable. But other organizations’ data isn’t as important as your organization’s data. You must understand your own threat climate in order to change things in your environment.

“Effective security awareness training must focus on the issues and behaviors that matter most to an organization’s mission,” Joe Ferrara, senior vice president and general manager of Security Awareness Training for Proofpoint, said in a statement.

“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.”

Proofpoint’s data was based on survey results from 3,500 working adults and 600 IT security professionals from the US, UK, Australia, France, Germany, Japan, and Spain. Information also was derived from 50 million simulated phishing attacks sent by Proofpoint customers over 12 months and nine million suspicious emails reported by the end users of the company’s customers.

Getty Images/iStockphoto