As seen on TechRepublic...
Wombat's state of phishing report shows that attack rates remain steady, but there is some good news: User Click rates have dropped.
Wombat Security has released its fourth annual State of the Phish report (registration required).
Wombat revealed that phishing rates in 2017 remained steady—76% of infosec professionals surveyed said that their companies experienced phishing attacks, roughly the same as 2016. Click rates have dropped to an average of nine percent, down from 15% in 2016, which is encouraging—users seem to be getting the message about the dangers of phishing.
The most important part of the report for infosec professionals is its breakdown of which kinds of phishing messages are the most successful.
Wombat breaks phishing messages into four categories:
Of the four, consumer and corporate messages were the overwhelming favorite of phishing campaigners in 2017—they were used in 45% and 44% of attacks, respectively.
Consumer and corporate attacks weren't the most successful, though—to find out what was the most clicked, the report digs down a bit deeper into specifics. The rates at which the most successful phishing email templates were clicked is alarming—as opposed to the nine percent average across the board, each highly successful template saw click rates in the mid to high 80-percent range:
The statistics gathered by Wombat are alarming, but it's important to understand that they're all from simulated attacks using Wombat's Security Education Platform, one module of which is for conducting phishing attack simulations.
Those tests are what gives the success statistics, but the numbers in the report about prevalence of attacks, namely that consumer and corporate phishing leads, comes from real-world data.
In 2016, corporate attacks were the leader, but those have been overtaken by consumer attacks, which Wombat attributes to the growing merging of personal and business email. "As employees begin to blend their personal email accounts into their work accounts, this creates a risk with regards to consumer-themed email attacks," said Amy Baker, VP of Marketing at Wombat Security.
Baker said the blending of personal and work accounts increases infection risk because both consumer and commercial messages are now potential attack vectors on corporate networks.
Looking forward into 2018, it's important for infosec professionals and IT teams to ensure users aren't being casual in their use of business email accounts. Managed email should only be used for business purposes, and personal accounts and messages should be strictly separated. IT teams should also encourage users to access personal email only on personal devices, such as smartphones, to reduce the risk of consumer phishing to business networks.
To read Wombat's full State of the Phish 2018 report, click on the link at the beginning of this article.
Read this article on TechRepublic