Phishing attacks continue to grow in volume and complexity, supported by more aggressive social engineering practices that make phishing more difficult to prevent.
Wombat Security Technologies’ report, The State of the Phish, found that a whopping 85% of those surveyed reported being the victim of a phishing attack in 2015, up 13% from 2014; and 67% reported having been the target of a spear-phishing attack, up 22% from 2014.
The damage is real: Organizations surveyed indicated they have suffered malware infections (42%), compromised accounts (22%), and loss of data (4%) as a direct result of successful phishing attacks. Previous research conducted in 2015 on the cost of phishing and the value of employee training by Wombat and Ponemon Institute found that the majority of costs caused by successful phishing attacks are the result of the loss of employee productivity and uncontained credential compromise, among other factors, which together cost an average sized company $3.77 million per year.
The report found that the most popular and effective phishing attack vectors used subjects that employees expected to see in their work email, such as HR documents, or a shipping confirmation—these garnered the highest click rates. Employees were more cautious when receiving “consumer” emails regarding topics like gift card notifications, or social networking accounts.
That said, lures that claimed to have an “urgent email password change request” had a 28% average click rate. Interestingly, Wombat found that click rates vary per industry, with telecommunications and professional services clicking phishing emails more than other industries.
“Phishing continues to be a highly effective attack vector that is increasingly responsible for a significant percentage of data breaches in the market today,” said Trevor Hawthorn, CTO ofWombat. “In spite of continued investments in a number of popular security technologies, phishing messages continue to reach end users and can result in serious damages to a company’s critical data and reputation.
The report also noted the rise of personalized spear phishing. Spear phishers are increasingly going to great lengths to gather information on key people within an organization, in order to craft a personalized and convincing email. Emails personalized with simply a first name had click rates that were 19% higher than those with no personalization.
Organizations surveyed said they protect themselves from phishing using a variety of methods, including email spam filters (99%), outbound proxy protection (56%), advanced malware analysis (50%) and URL wrapping (24%), but employee awareness is also a key.
“Our methods have shown that a continuous training methodology which educates end users on cybersecurity threats changes employee behavior and reduces risk within an organization,” Hawthorn said.