More than 8 in 10 organizations were victims of phishing scams in 2015, a 13% increase over 2014, according to companies polled recently by Pittsburgh-based information security company Wombat Security Technologies.
Wombat Security compiled data from the “millions of phishing attacks sent through the ThreatSim and Wombat platforms” from Oct. 1, 2014 through Sept. 30, 2015, according to the company’s 2016 State of the Phish™ report, released on Tuesday. Nearly 25% of polled organizations belonged to the finance industry, followed by “other,” manufacturing and healthcare, each with between 10% and 15%. The company also sent a survey to its database of security professionals – including both customers and non-customers – and received hundreds of responses.
Wombat surveyed its database of IT security professionals and found that 85% of organizations were victims of phishing scams in 2015 and 60% of respondents reported that the number of phishing attacks is up overall. The company found that phishing emails disguised as legitimate work emails were some of the most effective when it comes to “hooking” victims. In one example, a simulated phishing email disguised as an “Urgent Email Password Change” request had a 28% click rate.
“Users were most likely to click on attachments and messages they expected to see in their work inboxes, like an HR document or a shipping confirmation,” Wombat wrote in a blog posted to its website on Tuesday. “They were more cautious with messages we consider to be ‘consumer oriented,’ such as gift card offers and social networking notifications.”
The report described four types of “highly effective” phishing emails – used by cybercriminals who want to spread ransomware and gain access to sensitive personal and business information – that employees need to be cautious about:
“Remember, phishing attacks are often preceded by social engineering phone calls, or impostors gaining access to information or areas they should not,” the report read. “You should teach your end users to not only watch out for phishing emails, but other [social engineering] threat vectors as well. Not only are more organizations reporting being the victim of phishing attacks, but the number they are experiencing has gone up. Attackers are becoming more sophisticated and varied in their approach, using multiple threat vectors.”
Other findings included: