On Wednesday, Wombat Security Technologies released a report on the state of phishing attacks. Here's what you need to know.
On Wednesday, Wombat Security Technologies released its 2016 State of the Phish report, detailing the current phishing landscape. The research report found that, while these phishing attacks are growing in sheer number, they are also growing in their complexity based on the practices used to implement them.
To most enterprise professionals, especially those working in IT, it's understood that phishing is still a common threat. However, 85% of those surveyed for this report said that they had been the victim of a phishing attack in 2015, up 13% from the year prior. Additionally, 60% felt that the rate of phishing attacks had increased, on the whole.
Because of these attacks, 42% of those surveyed said they had suffered malware infections, while 22% suffered compromised accounts and 4% lost data. The most popular phishing campaigns were ones that employees expected to be in their inbox at work, like a document from HR. In fact, the report noted that an "urgent email password change request" had an average click rate of 28%. However, employees showed more caution with "consumer" emails for gift card offers or social network notifications.
The Wombat report also said that targeted phishing attacks, also known as "spear phishing" grew in 2015 as well. Of respondents, 67% reported experiencing spear phishing in 2015, up 22% from the year before. Compared to emails with no personalization present, emails with the employee's first name had a click rate 19% higher, and those with an employee's last name had a click rate of 17% higher.
So, which industries suffered the most? Telecommunications took the top spot with 24% click rate and professional services, which Wombat classified as consulting, law, and accounting, was a close second with a 23% click rate. Government came in third place with a 17% click rate for phishing attacks.
Plug-ins used by employees also increased the risk of attacks, due to the fact that many are often outdated. According to the report, here are the top four most outdated plug-ins:
- Adobe PDF (61%)
- Adobe Flash (46%)
- Microsoft Silverlight (27%)
- Java (25%)
To protect against attacks, 99% of respondent said they utilize email spam filters, 56% said they employed outbound proxy protection, 50% use advanced malware analysis, and 24% use URL wrapping. Additionally, 92% said they train their employees to recognize and avoid phishing.
Those familiar with the space will note that the report was previously put together by the company ThreatSim, who Wombat acquired late last year. This year's report was compiled by both of the companies, who looked at millions of simulated phishing attacks sent through their platforms between October 1, 2014, and September 30, 2015.
The report also includes data gathered from a survey sent to Wombat's list of security professionals (both customers and noncustomers). While a specific number of responses wasn't provided, the press release did mention that they received "several hundred responses."
An additional report published by Wombat Security Technologies and The Ponemon Institute in 2015 put the total extrapolated cost of phishing at roughly $3.8 million for a 10,000 person company.
Three big takeaways
- Phishing continues to grow with 85% experiencing a phishing attack in 2015.
- Phishing templates that look like a corporate email are more successful than those that look like consumer emails, and personalized emails get a higher click rate from employees.
- Outdated plug-ins increase vulnerability to phishing, with the top culprits being PDF, Flash, Silverlight, and Java.
What's your plan?
How does your organization plan for and deal with phishing attacks? Tell us in the comments.
- 4 essentials to creating a world-class threat intelligence program (TechRepublic)
- Privoro is building tech to safeguard your "environmental data" (TechRepublic)
- A roundup of cybersecurity predictions for 2016 (Tech Pro Research)
- Your personal security guide: Phishing campaigns (ZDNet)