wombatsecurity | September 07, 2016

85% of polled companies victims of phishing scams in 2015, a 13% increase from 2014: Wombat Security

Canadian Underwriter
September 7, 2016

More than 8 in 10 organizations were victims of phishing scams in 2015, a 13% increase over 2014, according to companies polled recently by Pittsburgh-based information security company Wombat Security Technologies.

Wombat Security compiled data from the “millions of phishing attacks sent through the ThreatSim and Wombat platforms” from Oct. 1, 2014 through Sept. 30, 2015, according to the company’s 2016 State of the Phish™ report, released on Tuesday. Nearly 25% of polled organizations belonged to the finance industry, followed by “other,” manufacturing and healthcare, each with between 10% and 15%. The company also sent a survey to its database of security professionals – including both customers and non-customers – and received hundreds of responses.

Wombat surveyed its database of IT security professionals and found that 85% of organizations were victims of phishing scams in 2015 and 60% of respondents reported that the number of phishing attacks is up overall. The company found that phishing emails disguised as legitimate work emails were some of the most effective when it comes to “hooking” victims. In one example, a simulated phishing email disguised as an “Urgent Email Password Change” request had a 28% click rate.

“Users were most likely to click on attachments and messages they expected to see in their work inboxes, like an HR document or a shipping confirmation,” Wombat wrote in a blog posted to its website on Tuesday. “They were more cautious with messages we consider to be ‘consumer oriented,’ such as gift card offers and social networking notifications.”

The report described four types of “highly effective” phishing emails – used by cybercriminals who want to spread ransomware and gain access to sensitive personal and business information – that employees need to be cautious about:

  • Technical emails – these types of scams typically pose as error reports and bounced email notifications. A “Delivery Status Notification Failure” is a popular example, according to Wombat;
  • Corporate emails – designed to look like official corporate communications. Examples of these include benefits enrollment messages, invoices and communications about confidential human resources documents;
  • Commercial emails – these are business-related emails that may not be specific to an organization. Some of the topics of these phishing emails include insurance notifications, shipping confirmations and wire transfer requests; and
  • Consumer emails – scams designed to replicate many of the emails that are regularly sent to the general public. Examples include messages about social networking notifications, gift cards, bonus miles, frequent flier accounts, big-box store memberships and more.

“Remember, phishing attacks are often preceded by social engineering phone calls, or impostors gaining access to information or areas they should not,” the report read. “You should teach your end users to not only watch out for phishing emails, but other [social engineering] threat vectors as well. Not only are more organizations reporting being the victim of phishing attacks, but the number they are experiencing has gone up. Attackers are becoming more sophisticated and varied in their approach, using multiple threat vectors.”

Other findings included:

  • 67% of poll respondents reported experiencing spear phishing (targeted attacks), up 22% from 2014;
  • 55% have experience phishing through phone calls (vishing) and SMS messaging (smishing) and 6% have experienced phishing through USB attacks;
  • The telecommunications industry had the highest “click rates” at 24%, followed by professional services at 23%, government at 17% and insurance at 16%;
  • In choosing all of the impacts that affected an organization (multiple choice), 42% of respondents said that a malware infection affected them, 22% reported compromised accounts, 4% reported loss of data and 50% reported “other” impacts;
  • When asked how they measure the cost of phishing incidents, 44% said lost productivity for employees, 36% said business impacts through loss of proprietary information and 20% said damage to reputation; and
  • Emails personalized with a first name had click rates 19% higher than those with no personalization; emails personalized with last name had click rates 17% higher than those with no personalization.